Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1Uch8F-0003wH-2S for pgsql-www@arkaria.postgresql.org; Wed, 15 May 2013 19:12:59 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1Uch8E-0002sp-IJ for pgsql-www@arkaria.postgresql.org; Wed, 15 May 2013 19:12:58 +0000 Received: from makus.postgresql.org ([2001:4800:7903:4::125]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1Uch8D-0002ri-5J for pgsql-www@postgresql.org; Wed, 15 May 2013 19:12:57 +0000 Received: from longis.vm.bytemark.co.uk ([212.110.186.97]) by makus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1Uch86-0001fg-68 for pgsql-www@postgresql.org; Wed, 15 May 2013 19:12:56 +0000 Received: from 82-69-16-39.dsl.in-addr.zen.co.uk ([82.69.16.39] helo=[192.168.0.4]) by longis.vm.bytemark.co.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1Uch83-000333-SC for pgsql-www@postgresql.org; Wed, 15 May 2013 20:12:48 +0100 Message-ID: <5193DE2E.8060107@xk7.net> Date: Wed, 15 May 2013 20:12:46 +0100 From: Paul Waring User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6 MIME-Version: 1.0 To: pgsql-www@postgresql.org Subject: Re: Can we change auto-logout timing on wiki.postgresql.org? References: <517A7144.4070204@xk7.net> <517B729C.4060906@kaltenbrunner.cc> <517B7658.9070209@commandprompt.com> <517B9613.4090201@kaltenbrunner.cc> <20130427140914.GA20361@momjian.us> <517C046E.30207@kaltenbrunner.cc> <20130503004153.GD3374@momjian.us> <20130515032509.GA20053@momjian.us> <20130515112415.GA8585@momjian.us> <5193CC0F.2060307@agliodbs.com> <5193CCB2.4080702@agliodbs.com> <5193D77A.70403@xk7.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Pg-Spam-Score: 0.8 (/) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org On 15/05/13 19:47, Magnus Hagander wrote: > On Wed, May 15, 2013 at 8:44 PM, Paul Waring wrote: >> On 15/05/13 19:00, Magnus Hagander wrote: >>> >>> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus wrote: >>>> >>>> On 05/15/2013 10:55 AM, Josh Berkus wrote: >>>>> >>>>> WWW, >>>>> >>>>> First off, whatever tuning you did didn't work. I'm still getting >>>>> logged out, after considerably less than 6 hours. I'd say about 20min, >>>>> in fact. >>>> >>>> >>>> Wait, no. That's not the issue. The real issue is somewhat stranger. >>>> >>>> 1. log into wiki.postgresql.org. >>>> >>>> 2. in a new browser tab/window, follow this link: >>>> >>>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >>>> >>>> ... you will find yourself not logged in on that tab, even though you >>>> are on another tab. >>>> >>>> 3. now click this link: >>>> >>>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >>>> >>>> ... now you're logged in. WTF? Apparently login state is only detected >>>> for HTTPS links? >>> >>> >>> Yes, the login cookie is set to be sent only over https, for security >>> reasons. >>> >>> For our other websites, this will be automatically detected and you >>> get redirected to https (try going to your account page on the main >>> website with http for example), but at last I don't know of a way to >>> do that in mediawiki. >>> >>> Should be easy enough to see - check your mediawiki cookies, and >>> you'll see they are enabled for https only. >> >> >> That's not quite accurate - there are three cookies set by *.postgresql.org: >> >> postgresql.org - csrftoken (expires a year after being set) > > That one is, I believe, not actually part of that site. It's leaking > over fromthe main website. > >> postgresql.org - sessionid (expires two weeks after being set) >> wiki.postgresql.org - wikidb_session (expires on browser close) >> >> Only the sessionid cookie requires a https connection, the other cookies >> will be sent if a request is made over a http connection. > > Yes. But the interesting cookies here are wikidbUserID and wikidbUserName. > > >> If all wiki connections should be over https - including guests - then that >> can be accomplished via a simple rule in the Apache virtual host >> configuration. If only logged in users require https then you'd need either > > Assumign we used apache. But yes, that's a trivial configuration in > any webserver. That is not the current intention, though we might want > to revisit that in the future. > >> a plugin to handle this, or register a 'hook' which is a small piece of PHP >> which is run before Mediawiki displays a page and forces a redirect if the >> request was not made over https *and* the wikidb_session cookie is set. > > Do you know if there's a readymade plugin that supports this? There does not appear to be one - the two which did exist have been deprecated and not updated since 2009, and in any case they only forced https on pages such as the login. -- Paul Waring http://www.pwaring.com -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www