[Ohrrpgce] Can't log in to wiki over HTTP

Thu Sep 17 19:10:05 PDT 2020

Yeah, downloading the tarball and then applying a patch is probably the way
to go. I could do it in a separate directory, and only proceed if the patch
succeeds. It is doable. I'll spend some time on it when I have another free
day

On Thu., Sep. 17, 2020, 9:59 p.m. Ralph Versteegen, <teeemcee at gmail.com>
wrote:

>
>
> On Fri, 18 Sep 2020 at 02:08, James Paige <Bob at hamsterrepublic.com> wrote:
>
>> I would be happy to disable http completely, and always redirect http to
>> https.
>>
>> People who have an OS so old that it can't support https are welcome to
>> open a web browser on a separate device.
>>
>> I don't actually know how to do this just for the login page. I think I
>> remember an option in the dreamhost config panel to do this for the whole
>> site, but I would have to hunt for it.
>>
>> A *MUCH* bigger security concern is that I can't upgrade Mediawiki
>> anymore. It has been years since running "git pull" on a large repo in a
>> shell script on a dreamhost shared account was a viable option.
>>
>
> Is the reason that you're using git to download mediawiki versions because
> you use git to merge your local changes?
> Are those local changes just in LocalSettings.php?
> If it's just a couple files, it seems practical to write a small shell
> script to download a tarball and do an interactive merge of those couple
> files using sdiff.
>
>
>> I had a clunky workaround where I would rsync the whole thing locally,
>> upgrade it, rsync it back up to dreamhost, and then run the last stage of
>> the upgrade.
>>
>> I am always terrified that I will break the whole thing every time I do
>> that, but maybe I will give it a try today since I happen to be on a
>> vacation day and have time.
>>
>> I would really like to move the whole wiki to a place where the upgrades
>> were automatically managed for me. I haven't had time to look into that (in
>> years)
>>
>> On Thu, Sep 17, 2020 at 9:57 AM Adam Perry <arperry at gmail.com> wrote:
>>
>>> It is not a good idea to have an HTTP login page. Your credentials are
>>> sent in plain text when you log in via HTTP.
>>>
>>> I realize that the OHR wiki isn't the most high-profile target for
>>> hackers, but it's still a bad idea. We don't need to allow wiki editing to
>>> everyone able to use the engine if it means compromising security.
>>>
>>>
>>> On Wed, Sep 16, 2020, 8:45 PM Ralph Versteegen <teeemcee at gmail.com>
>>> wrote:
>>>
>>>> Holly reported, and I can confirm, that you can't log into the wiki, or
>>>> create an account, when accessing it over HTTP instead of HTTPS. (I think I
>>>> remember seeing this already quite a while ago.) You get the following
>>>> message:
>>>>
>>>> "There seems to be a problem with your login session; this action has
>>>> been canceled as a precaution against session hijacking. Please resubmit
>>>> the form."
>>>>
>>>> It is nice to be able to access the wiki via HTTP, since HTTPS is
>>>> inaccessible from ancient OSes such as some of those we support. If the
>>>> login page could redirect from HTTP to HTTPS...
>>>>
>>>> Hmm, maybe I should file such things on github instead...
>>>> _______________________________________________
>>>> Ohrrpgce mailing list
>>>> ohrrpgce at lists.motherhamster.org
>>>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>>>>
>>> _______________________________________________
>>> Ohrrpgce mailing list
>>> ohrrpgce at lists.motherhamster.org
>>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>>>
>> _______________________________________________
>> Ohrrpgce mailing list
>> ohrrpgce at lists.motherhamster.org
>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>>
> _______________________________________________
> Ohrrpgce mailing list
> ohrrpgce at lists.motherhamster.org
> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.motherhamster.org/pipermail/ohrrpgce-motherhamster.org/attachments/20200917/8533885b/attachment.html>