Last modified: 2014-02-12 23:47:24 UTC
Go to http://en.m.wikipedia.org/wiki/Typhoon_Rusa Click the watchlist star and click login (Note you are now on https://en.m.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Typhoon+Rusa&returntoquery=article_action%3Dwatch&wpStickHTTPS=1) Login Click back twice so you are back on http://en.m.wikipedia.org/wiki/Typhoon_Rusa and hit refresh You are no longer logged in Expected: Login on https should log you in on http
Logging in on https should NEVER log you in on http -- that defeats the purpose of an encrypted connection and makes it trivial for network sniffers or MiTM to steal your tokens.
True. I'm coming from a UX point of view here. What I'm getting at is if as a user I access wikipedia via http and click on login I am now logged in and accessing wikipedia over https. Now if I go to Wikipedia again on http via a google link I am now logged out and have to login again. This loop will continue until I get bored of logging into Wikipedia (logging in is dull right?) An ideal solution would be to remember a user logged in and redirect them to https on subsequent visits. How we might do this I'm not sure.
This should resolve the bug: https://gerrit.wikimedia.org/r/#/c/45922/
(In reply to comment #3) > This should resolve the bug: > https://gerrit.wikimedia.org/r/#/c/45922/ Merged by MaxSem on the 30th.