Re: Can we change auto-logout timing on wiki.postgresql.org?
| От | Paul Waring |
|---|---|
| Тема | Re: Can we change auto-logout timing on wiki.postgresql.org? |
| Дата | |
| Msg-id | 5193D77A.70403@xk7.net обсуждение исходный текст |
| Ответ на | Re: Can we change auto-logout timing on wiki.postgresql.org? (Magnus Hagander <magnus@hagander.net>) |
| Ответы |
Re: Can we change auto-logout timing on wiki.postgresql.org?
|
| Список | pgsql-www |
On 15/05/13 19:00, Magnus Hagander wrote: > On Wed, May 15, 2013 at 7:58 PM, Josh Berkus <josh@agliodbs.com> wrote: >> On 05/15/2013 10:55 AM, Josh Berkus wrote: >>> WWW, >>> >>> First off, whatever tuning you did didn't work. I'm still getting >>> logged out, after considerably less than 6 hours. I'd say about 20min, >>> in fact. >> >> Wait, no. That's not the issue. The real issue is somewhat stranger. >> >> 1. log into wiki.postgresql.org. >> >> 2. in a new browser tab/window, follow this link: >> >> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >> >> ... you will find yourself not logged in on that tab, even though you >> are on another tab. >> >> 3. now click this link: >> >> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >> >> ... now you're logged in. WTF? Apparently login state is only detected >> for HTTPS links? > > Yes, the login cookie is set to be sent only over https, for security reasons. > > For our other websites, this will be automatically detected and you > get redirected to https (try going to your account page on the main > website with http for example), but at last I don't know of a way to > do that in mediawiki. > > Should be easy enough to see - check your mediawiki cookies, and > you'll see they are enabled for https only. That's not quite accurate - there are three cookies set by *.postgresql.org: postgresql.org - csrftoken (expires a year after being set) postgresql.org - sessionid (expires two weeks after being set) wiki.postgresql.org - wikidb_session (expires on browser close) Only the sessionid cookie requires a https connection, the other cookies will be sent if a request is made over a http connection. If all wiki connections should be over https - including guests - then that can be accomplished via a simple rule in the Apache virtual host configuration. If only logged in users require https then you'd need either a plugin to handle this, or register a 'hook' which is a small piece of PHP which is run before Mediawiki displays a page and forces a redirect if the request was not made over https *and* the wikidb_session cookie is set. -- Paul Waring http://www.pwaring.com
В списке pgsql-www по дате отправления: