5 files changed, 69 insertions, 11 deletions

diff --git a/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn b/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn
index e065c4a3d..16dc78fb2 100644
--- a/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn
+++ b/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn
@@ -260,8 +260,8 @@ required to implement [[todo/alias directive]], which couldn't be easily done
 by writing to the RCS as the page's contents can change depending on which
 other pages claim it as an alias. --[[chrysn]]
 
-I agree with [[chrysn]]. In fact, is there any good reason that the core tag plugin doesn't do this? The current usability is horrible, to the point that I have gone 2.5 years with Ikiwiki and haven't yet started using tags. -- [[Eric|http://wiki.pdxhub.org/people/eric]]
+I agree with [[chrysn]]. In fact, is there any good reason that the core tag plugin doesn't do this? The current usability is horrible, to the point that I have gone 2.5 years with Ikiwiki and haven't yet started using tags. -- 
 
-> See [[todo/transient in-memory pages]] for progress on this. --[[smcv]]
+> See [[todo/transient_pages]] for progress on this. --[[smcv]]
 
 [[!tag done]]
diff --git a/doc/todo/autoindex_should_use_add__95__autofile.mdwn b/doc/todo/autoindex_should_use_add__95__autofile.mdwn
index 64f81c82e..19c5004f8 100644
--- a/doc/todo/autoindex_should_use_add__95__autofile.mdwn
+++ b/doc/todo/autoindex_should_use_add__95__autofile.mdwn
@@ -1,4 +1,4 @@
 `add_autofile` is a generic version of [[plugins/autoindex]]'s code,
 so the latter should probably use the former. --[[smcv]]
 
-> See [[todo/transient in-memory pages]] for progress on this. --[[smcv]]
+> See [[todo/transient_pages]] for progress on this. --[[smcv]]
diff --git a/doc/todo/transient_in-memory_pages.mdwn b/doc/todo/transient_pages.mdwn
index 9c1be7362..9c1be7362 100644
--- a/doc/todo/transient_in-memory_pages.mdwn
+++ b/doc/todo/transient_pages.mdwn
diff --git a/doc/todo/use_secure_cookies_for_ssl_logins.mdwn b/doc/todo/use_secure_cookies_for_ssl_logins.mdwn
new file mode 100644
index 000000000..a7030d08c
--- /dev/null
+++ b/doc/todo/use_secure_cookies_for_ssl_logins.mdwn
@@ -0,0 +1,25 @@
+[[!template id=gitbranch branch=smcv/ready/sslcookie-auto author="[[smcv]]"]]
+[[!tag patch]]
+
+At the moment `sslcookie => 0` never creates secure cookies, so if you log in
+with SSL, your browser will send the session cookie even over plain HTTP.
+Meanwhile `sslcookie => 1` always creates secure cookies, so you can't
+usefully log in over plain http.
+
+This branch adds `sslcookie => 0, sslcookie_auto => 1` as an option; this
+uses the `HTTPS` environment variable, so if you log in over SSL you'll
+get a secure session cookie, but if you log in over HTTP, you won't.
+(The syntax for the setup file is pretty rubbish - any other suggestions?)
+
+> Does this need to be a configurable option at all? The behavior could
+> just be changed in the sslcookie = 0 case. It seems sorta reasonable
+> that, once I've logged in via https, I need to re-login if I then
+> switch to http.
+> 
+> And, if your change is made, the sslcookie option could probably itself
+> be dropped too -- at least I don't see a real use case for it if ikiwiki
+> is more paranoid about cookies by default.
+> 
+> Might be best to fix
+> [[todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both]]
+> first, so that dual https/http sites can better be set up. --[[Joey]]
diff --git a/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn b/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn
index f8ec4c420..264eb9688 100644
--- a/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn
+++ b/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn
@@ -165,14 +165,17 @@ whether `url` and `cgiurl` are on the same server with the the same URL
 scheme. In theory you could use things like `//static.example.com/wiki/`
 and `//dynamic.example.com/ikiwiki.cgi` to preserve choice of http/https
 while switching server, but I don't know how consistently browsers
-suppot that.
+support that.
 
 "local" here is short for "locally valid", because these URLs are neither
 fully relative nor fully absolute, and there doesn't seem to be a good name
 for them...
 
-I've tested this on a demo website with the CGI enabled, and it seems to
+I've tested this on a demo website with the CGI enabled, and it seemed to
 work nicely (there might be bugs in some plugins, I didn't try all of them).
+The branch at [[todo/use secure cookies for SSL logins]] goes well with
+this one.
+
 The `$config{url}` and `$config{cgiurl}` are both HTTP, but if I enable
 `httpauth`, set `cgiauthurl` to a HTTPS version of the same site and log
 in via that, links all end up in the HTTPS version.
@@ -217,11 +220,19 @@ New API added by this branch:
   >> 
   >>> That makes a great deal of sense, bravo for actually removing
   >>> parameters in the common case while maintaining backwards
-  >>> compatability!
+  >>> compatability! --[[Joey]]
+  >>>
+  >>>> Done in my `localurl` branch; not tested in a whole-wiki way
+  >>>> yet, but I did add a regression test. I've used
+  >>>> `urlto(x, undef)` rather than `urlto(x)` so far, but I could
+  >>>> go back through the codebase using the short form if you'd
+  >>>> prefer. --[[smcv]]
   >>> 
   >>> It does highlight that it would be better to have a
   >>> `absolute_urlto($link)` (or maybe `absolute(urlto($link))` )
   >>> rather than the 3 parameter form. --[[Joey]]
+  >>>
+  >>> Possibly. I haven't added this.
 
 * `IkiWiki::baseurl` has a new second argument which works like the
   third argument of `urlto`
@@ -232,19 +243,34 @@ New API added by this branch:
   >> (But I assume changes to `urlto` will follow through here anyway.)
   >> --[[Joey]] 
 
+  >>> I had to use it a bit more, as a replacement for `$config{url}`
+  >>> when doing things like referencing stylesheets or redirecting to
+  >>> the top of the wiki.
+  >>>
+  >>> I ended up redoing this without the extra parameter. Previously,
+  >>> `baseurl(undef)` was the absolute URL; now, `baseurl(undef)` is
+  >>> the local path. I know you objected to me using `baseurl()` in
+  >>> an earlier branch, because `baseurl().$x` looks confusingly
+  >>> similar to `baseurl($x)` but has totally different semantics;
+  >>> I've generally written it `baseurl(undef)` now, to be more
+  >>> explicit. --[[smcv]]
+
 * `IkiWiki::cgiurl` uses `$local_cgiurl` if passed `local_cgiurl => 1`
 
-  > Possibly changed to making this always be local unless `cgiurl => $x`
-  > is given: see below --[[smcv]]
+  > Now changed to always use the `$local_cgiurl`. --[[smcv]]
 
 * `IkiWiki::cgiurl` omits the trailing `?` if given no named parameters
   except `cgiurl` and/or `local_cgiurl`
 
   > I assume you have no objection to this --[[smcv]]
   > 
-  >> Nod, although I don't know of a use case. --[[Joey]] 
+  >> Nod, although I don't know of a use case. --[[Joey]]
+
+  >>> The use-case is that I can replace `$config{cgiurl}` with
+  >>> `IkiWiki::cgiurl()` for things like the action attribute of
+  >>> forms. --[[smcv]]
 
-Bugs:
+Fixed bugs:
 
 * I don't think anything except `openid` calls `cgiurl` without also
   passing in `local_cgiurl => 1`, so perhaps that should be the default;
@@ -265,6 +291,10 @@ Bugs:
   >>> if `absolute()` were implemented as suggested above, it could also
   >>> be used with cgiurl if necessary.) --[[Joey]]
 
+  >>>> Done (minus `absolute()`). --[[smcv]]
+
+Potential future things:
+
 * It occurs to me that `IkiWiki::cgiurl` could probably benefit from being
   exported? Perhaps also `IkiWiki::baseurl`?
 
@@ -285,4 +315,7 @@ Bugs:
   > AFACIS, `baseurl` is only called in 3 places so I don't think that's
   > needed. --[[Joey]] 
 
-  >> OK, wontfix. --[[smcv]]
+  >> OK, wontfix. For what it's worth, my branch has 6 uses in IkiWiki
+  >> core code (IkiWiki, CGI, Render and the pseudo-core part of editpage)
+  >> and 5 in plugins, since I used it for things like redirection back
+  >> to the top of the wiki --[[smcv]]