BryanDavis has uploaded a new change for review. https://gerrit.wikimedia.org/r/266415
Change subject: SessionManager: Abstract forceHTTPS cookie setting ...................................................................... SessionManager: Abstract forceHTTPS cookie setting This allows CentralAuthSessionProvider to avoid doing craziness like this all the time: Set-Cookie: forceHTTPS=true; path=/; httponly Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly Set-Cookie: forceHTTPS=true; path=/; domain=.wikipedia.org; httponly Set-Cookie: forceHTTPS=true; path=/; httponly Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly Set-Cookie: forceHTTPS=true; path=/; domain=.wikipedia.org; httponly Bug: T124421 Depends-On: I61d14bf80fa7c857dec9cffb366dc3f84dbb4faf Change-Id: I125cd26d7086d7da2d283e71e736f381043d6877 (cherry picked from commit 1e2b4411ef264674a68dc9f6162657d39035b709) --- M includes/session/CentralAuthSessionProvider.php 1 file changed, 23 insertions(+), 15 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/CentralAuth refs/changes/15/266415/1 diff --git a/includes/session/CentralAuthSessionProvider.php b/includes/session/CentralAuthSessionProvider.php index cf9b6b7..d78beb2 100644 --- a/includes/session/CentralAuthSessionProvider.php +++ b/includes/session/CentralAuthSessionProvider.php @@ -4,6 +4,7 @@ use MediaWiki\Session\SessionInfo; use MediaWiki\Session\UserInfo; use MediaWiki\Session\Session; +use MediaWiki\Session\SessionBackend; /** * CentralAuth cookie-based sessions. @@ -331,19 +332,6 @@ $response->clearCookie( $this->params['centralSessionName'], array( 'prefix' => '' ) + $this->centralCookieOptions ); } - - if ( $session->shouldForceHTTPS() || $session->getUser()->requiresHTTPS() ) { - // Delete the core cookie and set our own - $response->clearCookie( 'forceHTTPS', - array( 'prefix' => '', 'secure' => false ) + $this->cookieOptions ); - $response->setCookie( 'forceHTTPS', 'true', $session->shouldRememberUser() ? 0 : null, - array( 'prefix' => '', 'secure' => false ) + $this->centralCookieOptions ); - } else { - // T56626: Explcitly clear forceHTTPS cookie when it's not wanted - $response->clearCookie( 'forceHTTPS', - array( 'prefix' => '', 'secure' => false ) + $this->centralCookieOptions ); - } - } public function unpersistSession( WebRequest $request ) { @@ -367,8 +355,6 @@ $response->clearCookie( 'Token', $this->centralCookieOptions ); $response->clearCookie( $this->params['centralSessionName'], array( 'prefix' => '' ) + $this->centralCookieOptions ); - $response->clearCookie( 'forceHTTPS', - array( 'prefix' => '', 'secure' => false ) + $this->centralCookieOptions ); } public function preventSessionsForUser( $username ) { @@ -396,6 +382,28 @@ } } + protected function setForceHTTPSCookie( + $set, SessionBackend $backend = null, WebRequest $request + ) { + $response = $request->response(); + $central = $backend + ? CentralAuthUser::getInstance( $backend->getUser() )->isAttached() + : false; + + // If the account is centralized, have the parent clear its cookie and + // set the central cookie. If it's not centralized, clear the central + // cookie and have the parent set its cookie as it usually would. + if ( $set && $central ) { + parent::setForceHTTPSCookie( false, $backend, $request ); + $response->setCookie( 'forceHTTPS', 'true', $backend->shouldRememberUser() ? 0 : null, + array( 'prefix' => '', 'secure' => false ) + $this->centralCookieOptions ); + } else { + $response->clearCookie( 'forceHTTPS', + array( 'prefix' => '', 'secure' => false ) + $this->centralCookieOptions ); + parent::setForceHTTPSCookie( $set, $backend, $request ); + } + } + protected function setLoggedOutCookie( $loggedOut, WebRequest $request ) { if ( $loggedOut + 86400 > time() && $loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->centralCookieOptions['prefix'] ) -- To view, visit https://gerrit.wikimedia.org/r/266415 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I125cd26d7086d7da2d283e71e736f381043d6877 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/CentralAuth Gerrit-Branch: wmf/1.27.0-wmf.11 Gerrit-Owner: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits