[Ohrrpgce] Can't log in to wiki over HTTP
James Paige
Bob at hamsterrepublic.com
Thu Sep 17 07:08:22 PDT 2020
I would be happy to disable http completely, and always redirect http to
https.
People who have an OS so old that it can't support https are welcome to
open a web browser on a separate device.
I don't actually know how to do this just for the login page. I think I
remember an option in the dreamhost config panel to do this for the whole
site, but I would have to hunt for it.
A *MUCH* bigger security concern is that I can't upgrade Mediawiki anymore.
It has been years since running "git pull" on a large repo in a shell
script on a dreamhost shared account was a viable option.
I had a clunky workaround where I would rsync the whole thing locally,
upgrade it, rsync it back up to dreamhost, and then run the last stage of
the upgrade.
I am always terrified that I will break the whole thing every time I do
that, but maybe I will give it a try today since I happen to be on a
vacation day and have time.
I would really like to move the whole wiki to a place where the upgrades
were automatically managed for me. I haven't had time to look into that (in
years)
On Thu, Sep 17, 2020 at 9:57 AM Adam Perry <arperry at gmail.com> wrote:
> It is not a good idea to have an HTTP login page. Your credentials are
> sent in plain text when you log in via HTTP.
>
> I realize that the OHR wiki isn't the most high-profile target for
> hackers, but it's still a bad idea. We don't need to allow wiki editing to
> everyone able to use the engine if it means compromising security.
>
>
> On Wed, Sep 16, 2020, 8:45 PM Ralph Versteegen <teeemcee at gmail.com> wrote:
>
>> Holly reported, and I can confirm, that you can't log into the wiki, or
>> create an account, when accessing it over HTTP instead of HTTPS. (I think I
>> remember seeing this already quite a while ago.) You get the following
>> message:
>>
>> "There seems to be a problem with your login session; this action has
>> been canceled as a precaution against session hijacking. Please resubmit
>> the form."
>>
>> It is nice to be able to access the wiki via HTTP, since HTTPS is
>> inaccessible from ancient OSes such as some of those we support. If the
>> login page could redirect from HTTP to HTTPS...
>>
>> Hmm, maybe I should file such things on github instead...
>> _______________________________________________
>> Ohrrpgce mailing list
>> ohrrpgce at lists.motherhamster.org
>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>>
> _______________________________________________
> Ohrrpgce mailing list
> ohrrpgce at lists.motherhamster.org
> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.motherhamster.org/pipermail/ohrrpgce-motherhamster.org/attachments/20200917/b51dad98/attachment.html>
More information about the Ohrrpgce
mailing list