diff options
Diffstat (limited to 'doc/todo')
| -rw-r--r-- | doc/todo/auto-create_tag_pages_according_to_a_template.mdwn | 4 | ||||
| -rw-r--r-- | doc/todo/autoindex_should_use_add__95__autofile.mdwn | 2 | ||||
| -rw-r--r-- | doc/todo/transient_pages.mdwn (renamed from doc/todo/transient_in-memory_pages.mdwn) | 0 | ||||
| -rw-r--r-- | doc/todo/use_secure_cookies_for_ssl_logins.mdwn | 34 | ||||
| -rw-r--r-- | doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn | 10 |
5 files changed, 43 insertions, 7 deletions
diff --git a/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn b/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn index e065c4a3d..16dc78fb2 100644 --- a/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn +++ b/doc/todo/auto-create_tag_pages_according_to_a_template.mdwn @@ -260,8 +260,8 @@ required to implement [[todo/alias directive]], which couldn't be easily done by writing to the RCS as the page's contents can change depending on which other pages claim it as an alias. --[[chrysn]] -I agree with [[chrysn]]. In fact, is there any good reason that the core tag plugin doesn't do this? The current usability is horrible, to the point that I have gone 2.5 years with Ikiwiki and haven't yet started using tags. -- [[Eric|http://wiki.pdxhub.org/people/eric]] +I agree with [[chrysn]]. In fact, is there any good reason that the core tag plugin doesn't do this? The current usability is horrible, to the point that I have gone 2.5 years with Ikiwiki and haven't yet started using tags. -- -> See [[todo/transient in-memory pages]] for progress on this. --[[smcv]] +> See [[todo/transient_pages]] for progress on this. --[[smcv]] [[!tag done]] diff --git a/doc/todo/autoindex_should_use_add__95__autofile.mdwn b/doc/todo/autoindex_should_use_add__95__autofile.mdwn index 64f81c82e..19c5004f8 100644 --- a/doc/todo/autoindex_should_use_add__95__autofile.mdwn +++ b/doc/todo/autoindex_should_use_add__95__autofile.mdwn @@ -1,4 +1,4 @@ `add_autofile` is a generic version of [[plugins/autoindex]]'s code, so the latter should probably use the former. --[[smcv]] -> See [[todo/transient in-memory pages]] for progress on this. --[[smcv]] +> See [[todo/transient_pages]] for progress on this. --[[smcv]] diff --git a/doc/todo/transient_in-memory_pages.mdwn b/doc/todo/transient_pages.mdwn index 9c1be7362..9c1be7362 100644 --- a/doc/todo/transient_in-memory_pages.mdwn +++ b/doc/todo/transient_pages.mdwn diff --git a/doc/todo/use_secure_cookies_for_ssl_logins.mdwn b/doc/todo/use_secure_cookies_for_ssl_logins.mdwn new file mode 100644 index 000000000..f72b2d2d5 --- /dev/null +++ b/doc/todo/use_secure_cookies_for_ssl_logins.mdwn @@ -0,0 +1,34 @@ +[[!template id=gitbranch branch=smcv/ready/sslcookie-auto author="[[smcv]]"]] +[[!tag patch]] + +At the moment `sslcookie => 0` never creates secure cookies, so if you log in +with SSL, your browser will send the session cookie even over plain HTTP. +Meanwhile `sslcookie => 1` always creates secure cookies, so you can't +usefully log in over plain http. + +This branch adds `sslcookie => 0, sslcookie_auto => 1` as an option; this +uses the `HTTPS` environment variable, so if you log in over SSL you'll +get a secure session cookie, but if you log in over HTTP, you won't. +(The syntax for the setup file is pretty rubbish - any other suggestions?) + +> Does this need to be a configurable option at all? The behavior could +> just be changed in the sslcookie = 0 case. It seems sorta reasonable +> that, once I've logged in via https, I need to re-login if I then +> switch to http. + +>> Even better. I've amended the branch to have this behaviour, which +>> turns it into a one-line patch. --[[smcv]] + +> And, if your change is made, the sslcookie option could probably itself +> be dropped too -- at least I don't see a real use case for it if ikiwiki +> is more paranoid about cookies by default. + +>> I haven't done that; it might make sense to do so, but I think it'd be +>> better to leave it in as a safety-catch (or in case someone's +>> using a webserver that doesn't put `$HTTPS` in the environment). --s + +> Might be best to fix +> [[todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both]] +> first, so that dual https/http sites can better be set up. --[[Joey]] + +>> Thanks for merging that! :-) --s diff --git a/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn b/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn index 8b0501041..f7938b061 100644 --- a/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn +++ b/doc/todo/want_to_avoid_ikiwiki_using_http_or_https_in_urls_to_allow_serving_both.mdwn @@ -147,7 +147,7 @@ you don't like my approach: ---- -[[!template id=gitbranch branch=smcv/localurl author="[[smcv]]"]] +[[!template id=gitbranch branch=smcv/ready/localurl author="[[smcv]]"]] [[!tag patch]] OK, here's an alternative approach, closer in spirit to what was initially @@ -171,10 +171,10 @@ support that. fully relative nor fully absolute, and there doesn't seem to be a good name for them... -I tested an earlier version on a demo website with the CGI enabled, and it seemed to +I've tested this on a demo website with the CGI enabled, and it seemed to work nicely (there might be bugs in some plugins, I didn't try all of them). -I haven't yet re-tested with my updated branch, which is why it's not `ready/` -yet. +The branch at [[todo/use secure cookies for SSL logins]] goes well with +this one. The `$config{url}` and `$config{cgiurl}` are both HTTP, but if I enable `httpauth`, set `cgiauthurl` to a HTTPS version of the same site and log @@ -319,3 +319,5 @@ Potential future things: >> core code (IkiWiki, CGI, Render and the pseudo-core part of editpage) >> and 5 in plugins, since I used it for things like redirection back >> to the top of the wiki --[[smcv]] + +[[merged|done]] --[[Joey]] |