On Tue, Aug 20, 2013 at 11:07 AM, James Alexander <jalexan...@wikimedia.org>wrote:
> * The 'force https' preference is an option that is, by default, turned > off. > It is turned on by default when $wgSecureLogin is enabled. > > * However, for most wikis (not all), force https login is turned on. > That will be the case come tomorrow, yes. > * Because forced https login is turned on the 'default' for those people > will be to move from an https login to an https page because our normal > workflow is to always keep you on https if you are already on https (if you > are on page X, like a login page, in https then the next page X2 is also in > https). > Yes, this is correct. > * However, if you drop yourself down to http (for example just load the > page in http by dropping the s from the address bar and pressing enter) you > will not be forced back to https by default for the same reason (our normal > workflow) assuming that you have not turned on the https preference. > No, it will put you back on HTTPS as that was the default. You have to turn the preference off. > * If you login from an http (non secure) login page such as zhWiki or > faWiki you will be able to remain logged in while going to a non secure > wiki page (http://en.wikipedia.org ) and not be forced to https (unless > you > selected that in your preference). > > Preferences are local, so unless the local preference has been set to false, you would end up on HTTPS. > > On a side note: I assume the preference is wiki based rather then global? > > Correct. I'm beginning to think there's a disconnect between what we coded and what people expect. The preference is *on* by default which I think is what's going to cause problems. We can change defaults before tomorrow so I think we should all be clear. -Chad _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l