[Ohrrpgce] Can't log in to wiki over HTTP
James Paige
Bob at hamsterrepublic.com
Thu Sep 17 07:49:59 PDT 2020
I turned on https:// redirect for the whole site. Seems to be working fine.
I tried the local upgrade process, and no luck. The git repo metadata is
hopelessly corrupted.
I won't get that solved today :P
I'll probably have to set up a whole new mediawiki instance, make sure it
has all the plugins we need, port over the anti-spam hacks, and then
restore a database backup into it. Arg. That ain't happening today :(
Anybody know a fully managed mediawiki hosting site? Doesn't have to be a
free one.
---
James Paige
On Thu, Sep 17, 2020 at 10:08 AM James Paige <Bob at hamsterrepublic.com>
wrote:
> I would be happy to disable http completely, and always redirect http to
> https.
>
> People who have an OS so old that it can't support https are welcome to
> open a web browser on a separate device.
>
> I don't actually know how to do this just for the login page. I think I
> remember an option in the dreamhost config panel to do this for the whole
> site, but I would have to hunt for it.
>
> A *MUCH* bigger security concern is that I can't upgrade Mediawiki
> anymore. It has been years since running "git pull" on a large repo in a
> shell script on a dreamhost shared account was a viable option.
>
> I had a clunky workaround where I would rsync the whole thing locally,
> upgrade it, rsync it back up to dreamhost, and then run the last stage of
> the upgrade.
>
> I am always terrified that I will break the whole thing every time I do
> that, but maybe I will give it a try today since I happen to be on a
> vacation day and have time.
>
> I would really like to move the whole wiki to a place where the upgrades
> were automatically managed for me. I haven't had time to look into that (in
> years)
>
> On Thu, Sep 17, 2020 at 9:57 AM Adam Perry <arperry at gmail.com> wrote:
>
>> It is not a good idea to have an HTTP login page. Your credentials are
>> sent in plain text when you log in via HTTP.
>>
>> I realize that the OHR wiki isn't the most high-profile target for
>> hackers, but it's still a bad idea. We don't need to allow wiki editing to
>> everyone able to use the engine if it means compromising security.
>>
>>
>> On Wed, Sep 16, 2020, 8:45 PM Ralph Versteegen <teeemcee at gmail.com>
>> wrote:
>>
>>> Holly reported, and I can confirm, that you can't log into the wiki, or
>>> create an account, when accessing it over HTTP instead of HTTPS. (I think I
>>> remember seeing this already quite a while ago.) You get the following
>>> message:
>>>
>>> "There seems to be a problem with your login session; this action has
>>> been canceled as a precaution against session hijacking. Please resubmit
>>> the form."
>>>
>>> It is nice to be able to access the wiki via HTTP, since HTTPS is
>>> inaccessible from ancient OSes such as some of those we support. If the
>>> login page could redirect from HTTP to HTTPS...
>>>
>>> Hmm, maybe I should file such things on github instead...
>>> _______________________________________________
>>> Ohrrpgce mailing list
>>> ohrrpgce at lists.motherhamster.org
>>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>>>
>> _______________________________________________
>> Ohrrpgce mailing list
>> ohrrpgce at lists.motherhamster.org
>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.motherhamster.org/pipermail/ohrrpgce-motherhamster.org/attachments/20200917/1961a982/attachment-0001.html>
More information about the Ohrrpgce
mailing list