Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UcgjZ-0000vf-VZ for pgsql-www@arkaria.postgresql.org; Wed, 15 May 2013 18:47:30 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1UcgjZ-0004Ng-Ao for pgsql-www@arkaria.postgresql.org; Wed, 15 May 2013 18:47:29 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UcgjY-0004NZ-U5 for pgsql-www@postgresql.org; Wed, 15 May 2013 18:47:28 +0000 Received: from mail-ob0-x230.google.com ([2607:f8b0:4003:c01::230]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UcgjQ-0002b5-V4 for pgsql-www@postgresql.org; Wed, 15 May 2013 18:47:28 +0000 Received: by mail-ob0-f176.google.com with SMTP id wp18so2350584obc.7 for ; Wed, 15 May 2013 11:47:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=zBX+QZS+laCpftgyAU54UpIxToiXIVjL9poJ5J1lcE8=; b=O2vU4YKlGqnUWKjD0AouHWEysvf9f3wUVjRGuFXUcFCiTCsKDoUfpXgk/78Y8U8pN6 WxaE7F4C6nwfdWLz2p/TztzBn6HfgQ/7MxaSHLoFEh9Rt6219GzjdztwaDxfVg5cilfC rAxgfsdWe2IT2VGcsvFHBbOKR7XM5kPvrS7h08mgLeJoPlVp9eqCYRA2ok2+GvhehfTF BQ4UB7qG9/FsAgCFjPkePEcFWBr5tou23CrD6QtquU2wfDMWTtQ0+evYDj1pMLbuFIR+ U5ylYU7/2mhJWLlhemDCfD3diM5+xHEJ6+y4s3Gr7Nf72J0YfBcwycXiTJpsq9+p0GQC sqIg== MIME-Version: 1.0 X-Received: by 10.60.131.104 with SMTP id ol8mr19727703oeb.104.1368643639232; Wed, 15 May 2013 11:47:19 -0700 (PDT) Received: by 10.182.251.198 with HTTP; Wed, 15 May 2013 11:47:19 -0700 (PDT) In-Reply-To: <5193D77A.70403@xk7.net> References: <517A7144.4070204@xk7.net> <517B729C.4060906@kaltenbrunner.cc> <517B7658.9070209@commandprompt.com> <517B9613.4090201@kaltenbrunner.cc> <20130427140914.GA20361@momjian.us> <517C046E.30207@kaltenbrunner.cc> <20130503004153.GD3374@momjian.us> <20130515032509.GA20053@momjian.us> <20130515112415.GA8585@momjian.us> <5193CC0F.2060307@agliodbs.com> <5193CCB2.4080702@agliodbs.com> <5193D77A.70403@xk7.net> Date: Wed, 15 May 2013 20:47:19 +0200 Message-ID: Subject: Re: Can we change auto-logout timing on wiki.postgresql.org? From: Magnus Hagander To: Paul Waring Cc: PostgreSQL WWW Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmrwyVKLxiao0KtQzB4PqBpGsSl20z3ni5KezN40gOSOQj6zzJ63R1mcX5ZMXnySagBrEAi X-Pg-Spam-Score: -1.9 (-) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org On Wed, May 15, 2013 at 8:44 PM, Paul Waring wrote: > On 15/05/13 19:00, Magnus Hagander wrote: >> >> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus wrote: >>> >>> On 05/15/2013 10:55 AM, Josh Berkus wrote: >>>> >>>> WWW, >>>> >>>> First off, whatever tuning you did didn't work. I'm still getting >>>> logged out, after considerably less than 6 hours. I'd say about 20min, >>>> in fact. >>> >>> >>> Wait, no. That's not the issue. The real issue is somewhat stranger. >>> >>> 1. log into wiki.postgresql.org. >>> >>> 2. in a new browser tab/window, follow this link: >>> >>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >>> >>> ... you will find yourself not logged in on that tab, even though you >>> are on another tab. >>> >>> 3. now click this link: >>> >>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >>> >>> ... now you're logged in. WTF? Apparently login state is only detected >>> for HTTPS links? >> >> >> Yes, the login cookie is set to be sent only over https, for security >> reasons. >> >> For our other websites, this will be automatically detected and you >> get redirected to https (try going to your account page on the main >> website with http for example), but at last I don't know of a way to >> do that in mediawiki. >> >> Should be easy enough to see - check your mediawiki cookies, and >> you'll see they are enabled for https only. > > > That's not quite accurate - there are three cookies set by *.postgresql.org: > > postgresql.org - csrftoken (expires a year after being set) That one is, I believe, not actually part of that site. It's leaking over fromthe main website. > postgresql.org - sessionid (expires two weeks after being set) > wiki.postgresql.org - wikidb_session (expires on browser close) > > Only the sessionid cookie requires a https connection, the other cookies > will be sent if a request is made over a http connection. Yes. But the interesting cookies here are wikidbUserID and wikidbUserName. > If all wiki connections should be over https - including guests - then that > can be accomplished via a simple rule in the Apache virtual host > configuration. If only logged in users require https then you'd need either Assumign we used apache. But yes, that's a trivial configuration in any webserver. That is not the current intention, though we might want to revisit that in the future. > a plugin to handle this, or register a 'hook' which is a small piece of PHP > which is run before Mediawiki displays a page and forces a redirect if the > request was not made over https *and* the wikidb_session cookie is set. Do you know if there's a readymade plugin that supports this? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www