Item11621: User logout when access through HTTP after authenticated
Current State: Waiting for Feedback
Released In: n/a
A user authenticated logout when access through HTTP.
- 07 Mar 2012
I think that this might be fixed in latest Foswiki, we now set a secure session cookie separate from the http cookie. If it's not that, I don't understand this issue. Could you explain it a bit better. Thanks
- 20 Mar 2016
To reproduce the bug execute this steps: (1) Access https://foswiki.org/Tasks/Item11621
(2) Authenticate (3) Access http://foswiki.org/Tasks/Item11621
(without SSL). At step (3) you will be unauthenticated.
- 16 May 2016
I'm not sure we can change this behaviour. On an https site, the Session Cookie has the "Secure" flag. This prevents it from being sent to a non-https site. So if you redirect to https for purposes of the login, then the session is stuck to https. If we allow the secure cookie to be delivered to a non-secure site, then it would probably introduce security concerns.
As we use this plugin on foswiki.org in a mixed http / https environment, I'm thinking that things would also work a bit smoother if any
actions listed in the
list redirect to https, not just login. That might reduce the cases where the user loses authentication.
Another change that we've been making in foswiki, primarily for Foswiki 2.2, is to change as many links as possible to relative links, omitting the protocol & hostname. As the base URL for the page is set from the request, it would make it more likely that users on https would "stick", in the case where the DefaultUrlHost
is set to http.
- 26 Mar 2017
The next case that needs to be handled. If a user on http: with a lurking https session visits an access-restricted topic, the
is called to cause a 401 authentication request. If it just redirected to https, then the user would already be authenticated. The solution is to "monkey-patch" the login manager, forcing a redirect to the https URL for http requests.
- 27 Mar 2017