I noticed on s.d.o that some users have a different display on their user account page, most of them had the link to their Profile on http://drupal.org/ and some others didn't. It turns out this was due to some accounts having a http init and some others using https. Here is the conversation I had with coltrane and greggles.

greggles:

Seems like a bug and one we're likely to hit more as we roll out more and more https. I'm not sure at the moment what the *right* behavior is though as d.o migrates to https we'll have inits with both styles. I think the init probably should not contain the protocol and should instead use whatever the site is "set" to use.

coltrane:

My recommendation for Bakery on any SSL-enabled site is to put all authenticated users over SSL for this reason.

The good thing is that it does not seem to prevent logging in into s.d.o, and it seems to fix itself too!. Here is what I did as an experiment from an initial situation where my init was http:
- set my init to https on slave => am still logged in slave
- logout of master => got logged out of slave
- reset password on master and log in on master => got logged in on slave, init on slave is still https
- loaded my user page on slave => init got fixed to http

I confirmed that setting the init manually from https to http fixes the issue on the profile page.

CommentFileSizeAuthor
#4 1338004-bakery-strip-protocol-d7.patch7.5 KBcoltrane
#4 1338004-bakery-strip-protocol-d6.patch9.19 KBcoltrane
#2 1338004-bakery-strip-protocol-d6.patch9.17 KBcoltrane
#2 1338004-bakery-strip-protocol-d7.patch7.52 KBcoltrane

Comments

coltrane’s picture

coltrane
he/him
commented

In #1013952: Bakery cookies insecure we altered Bakery cookie names if the site is set for cookie secure. For any site that sets session.cookie_secure will be incompatible with other subsites and a master that doesn't. If the site just redirects HTTP to HTTPS (and Bakery cookies are sent in both requests) it'll work fine.

For the case of protocol change we could alter Bakery to ignore storing the protocol.

Update: Looking at requests to association.d.o and security.d.o it seems that it just redirects to https.

coltrane’s picture

coltrane
he/him
commented
Title: Protocol mismatch in init value » Do not store master protocl in init to better support mixed SSL domains
Status: Active » Needs review
StatusFileSize
new 1338004-bakery-strip-protocol-d7.patch7.52 KB
new 1338004-bakery-strip-protocol-d6.patch9.17 KB
coltrane’s picture

coltrane
he/him
commented
Title: Do not store master protocl in init to better support mixed SSL domains » Do not store master protocol in init to better support mixed SSL domains

correcting title

coltrane’s picture

coltrane
he/him
commented
StatusFileSize
new 1338004-bakery-strip-protocol-d6.patch9.19 KB
new 1338004-bakery-strip-protocol-d7.patch7.5 KB

Reroll.

I thought a procedure to drop the protocol from stored inits would be required but quick test with accounts before this patch went smoothly for SSO after applying it.

This should probably be tested on d.o test environments before RTBC.

coltrane’s picture

coltrane
he/him
commented

This is now applied on devdrupal.org and seems to be working fine.

Master: http://bakerym-drupal.redesign.devdrupal.org/
Subsite: http://bakerys-denver2012.redesign.devdrupal.org/

coltrane’s picture

coltrane
he/him
commented
Status: Needs review » Fixed

Committed. http://drupalcode.org/project/bakery.git/commit/ca241fc for 6 and http://drupalcode.org/project/bakery.git/commit/b850cc6 for 7

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.