[MediaWiki-commits] [Gerrit] SessionManager: Abstract forceHTTPS cookie setting - change (mediawiki...CentralAuth)

Sun, 24 Jan 2016 19:59:41 -0800 

jenkins-bot has submitted this change and it was merged.

Change subject: SessionManager: Abstract forceHTTPS cookie setting
......................................................................


SessionManager: Abstract forceHTTPS cookie setting

This allows CentralAuthSessionProvider to avoid doing craziness like
this all the time:

  Set-Cookie: forceHTTPS=true; path=/; httponly
  Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; 
Max-Age=0; path=/; httponly
  Set-Cookie: forceHTTPS=true; path=/; domain=.wikipedia.org; httponly
  Set-Cookie: forceHTTPS=true; path=/; httponly
  Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; 
Max-Age=0; path=/; httponly
  Set-Cookie: forceHTTPS=true; path=/; domain=.wikipedia.org; httponly

Bug: T124421
Change-Id: Ib7b0f77ac7a8963d276c511a306e97b0a246f78f
Depends-On: I7e02afd032a246df6850208c26d3447798bc0fc2
---
M includes/session/CentralAuthSessionProvider.php
1 file changed, 23 insertions(+), 15 deletions(-)

Approvals:
  BryanDavis: Looks good to me, approved
  Gergő Tisza: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/includes/session/CentralAuthSessionProvider.php 
b/includes/session/CentralAuthSessionProvider.php
index cf9b6b7..d78beb2 100644
--- a/includes/session/CentralAuthSessionProvider.php
+++ b/includes/session/CentralAuthSessionProvider.php
@@ -4,6 +4,7 @@
 use MediaWiki\Session\SessionInfo;
 use MediaWiki\Session\UserInfo;
 use MediaWiki\Session\Session;
+use MediaWiki\Session\SessionBackend;
 
 /**
  * CentralAuth cookie-based sessions.
@@ -331,19 +332,6 @@
                        $response->clearCookie( 
$this->params['centralSessionName'],
                                array( 'prefix' => '' ) + 
$this->centralCookieOptions );
                }
-
-               if ( $session->shouldForceHTTPS() || 
$session->getUser()->requiresHTTPS() ) {
-                       // Delete the core cookie and set our own
-                       $response->clearCookie( 'forceHTTPS',
-                               array( 'prefix' => '', 'secure' => false ) + 
$this->cookieOptions );
-                       $response->setCookie( 'forceHTTPS', 'true', 
$session->shouldRememberUser() ? 0 : null,
-                               array( 'prefix' => '', 'secure' => false ) + 
$this->centralCookieOptions );
-               } else {
-                       // T56626: Explcitly clear forceHTTPS cookie when it's 
not wanted
-                       $response->clearCookie( 'forceHTTPS',
-                               array( 'prefix' => '', 'secure' => false ) + 
$this->centralCookieOptions );
-               }
-
        }
 
        public function unpersistSession( WebRequest $request ) {
@@ -367,8 +355,6 @@
                $response->clearCookie( 'Token', $this->centralCookieOptions );
                $response->clearCookie( $this->params['centralSessionName'],
                        array( 'prefix' => '' ) + $this->centralCookieOptions );
-               $response->clearCookie( 'forceHTTPS',
-                       array( 'prefix' => '', 'secure' => false ) + 
$this->centralCookieOptions );
        }
 
        public function preventSessionsForUser( $username ) {
@@ -396,6 +382,28 @@
                }
        }
 
+       protected function setForceHTTPSCookie(
+               $set, SessionBackend $backend = null, WebRequest $request
+       ) {
+               $response = $request->response();
+               $central = $backend
+                       ? CentralAuthUser::getInstance( $backend->getUser() 
)->isAttached()
+                       : false;
+
+               // If the account is centralized, have the parent clear its 
cookie and
+               // set the central cookie. If it's not centralized, clear the 
central
+               // cookie and have the parent set its cookie as it usually 
would.
+               if ( $set && $central ) {
+                       parent::setForceHTTPSCookie( false, $backend, $request 
);
+                       $response->setCookie( 'forceHTTPS', 'true', 
$backend->shouldRememberUser() ? 0 : null,
+                               array( 'prefix' => '', 'secure' => false ) + 
$this->centralCookieOptions );
+               } else {
+                       $response->clearCookie( 'forceHTTPS',
+                               array( 'prefix' => '', 'secure' => false ) + 
$this->centralCookieOptions );
+                       parent::setForceHTTPSCookie( $set, $backend, $request );
+               }
+       }
+
        protected function setLoggedOutCookie( $loggedOut, WebRequest $request 
) {
                if ( $loggedOut + 86400 > time() &&
                        $loggedOut !== (int)$this->getCookie( $request, 
'LoggedOut', $this->centralCookieOptions['prefix'] )

-- 
To view, visit https://gerrit.wikimedia.org/r/265931
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ib7b0f77ac7a8963d276c511a306e97b0a246f78f
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Gergő Tisza <gti...@wikimedia.org>
Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to