Enable secure / https SSL login on mediaWiki 1.13.3

This is how I’ve enabled secure SSL login through https on a mediaWiki 1.13.3 installation. This description might work on other versions of mediaWiki, but that has not been tested.
mediWiki doesn’t support SSL login out of the box so a little hack has to be performed.

First you need to tell the webserver, in my case my Apache server that mediaWiki login requests should be redirected to the SSL page
Add the following code lines to your Apache config files or the mediaWiki .htaccess file

Rewrite login url to use httpsRewriteEngine On

RewriteCond %{REQUEST_URI} ^/index.php$
RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R]

Rewrite non login url to use normal http

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(?!title=Special:Userlogin)
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R]

Source: http://wiki.epfl.ch/cfavi/mediawiki

In addition to the above configuration you have to create a PHP script to fix some cookies problems since the cookie was made on an https address but normal surfing is done on http mode.

Create a file named ssl_login.php and insert the following code into it

# Secure the login page.

# Secure cookies hurt us because they are set on the https page
# but inaccessible from the http page, so we lose our previous session.
$wgCookieSecure = false;

# Don't process JavaScript and CSS files.
# Otherwise, a secure page will be tagged as "partially secure" because these
# files are being hit via http.
if (checkQS('gen', 'js')) {return;}
if (checkQS('gen', 'css') || checkQS('ctype', 'text/css')) {return;}

# Get page title from query string.
$pageTitle = array_key_exists('title', $_GET)
     ? $_GET['title']
     : "";

# Get server variables
$domain = $_SERVER['HTTP_HOST'];

# Are we on the sign-in page or not?
# Logic works for everything except Special pages which apparently don't
# even run LocalSettings.php.
$onSignInPage = false;
$signInPageName = 'special:userlogin';  // lowercase on purpose
if ( strtolower($pageTitle) == $signInPageName ) {
  $onSignInPage = true;
} elseif ( strstr(strtolower($uri), "/$signInPageName") ) {
  $onSignInPage = true;
} else {
  $onSignInPage = false;

# Secure only the Special:Userlogin page.
# Un-secure all other pages.
if ( !checkServerVariable('HTTPS', 'on') && $onSignInPage ) {
  header('Location: https://' . $domain . $uri);
} elseif ( checkServerVariable('HTTPS', 'on') && ! $onSignInPage ) {
  header('Location: http://' . $domain . $uri);
} else {
  // nothing

function checkQS($key, $value) {
  return checkArrayValue($_GET, $key, $value);

function checkServerVariable($var, $value) {
  return checkArrayValue($_SERVER, $var, $value);

function checkArrayValue($arr, $key, $value) {
  return array_key_exists($key, $arr) && $arr[$key] == $value;

Include this file in your LocalSettings.php file like this

# Fix to use SSL login
include '/full/path/to/htdocs/ssl_login.php';

Source: http://www.mediawiki.org/wiki/Manual:Configuration_tips_and_tricks#HTTPS_on_Login_only

Remember to restart your apache webserver to see the changes.

10 thoughts on “Enable secure / https SSL login on mediaWiki 1.13.3

  1. Hi – this is really great and exactly what I want to do – it is just that the Special:Userlogin rule should have a capital L on the “login” – so the full set of rules is:

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/mediawiki/index.php$
    RewriteCond %{QUERY_STRING} ^title=Special:UserLogin.*$
    RewriteCond %{REQUEST_METHOD} ^GET$
    RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R]

  2. This worked great for me on Ubuntu 8.10 with MediaWiki 1.12.0 , but I ran into a couple of things that needed to be changed:

    Secure_Login.php required me to have a <?php tag at the beginning, otherwise it just spits out the code in the header – ugly and not functional ;-).

    The code block says to create a file called ‘Secure_Login.php’, but the include statement in LocalSettings.php says to include ‘ssl_login.php’

    Thanks for the info!

  3. Hey, do you know of a way to just make mediawiki secure https only. Right now I have it working with both https and http. But I would like it to only work with https and redirect all users that hit it on port 80 to https on 443.

  4. Actually found this /etc/apache2/ports.conf file that was included in apache2.conf.

    Just had to make it look like this:

    #NameVirtualHost *:80
    #Listen 80

    # SSL name based virtual hosts are not yet supported, therefore no
    # NameVirtualHost statement here
    Listen 443

  5. Hi bixit, great fix! All is working but I’m not seeing any styling on the login page under HTTPS. Do you have any ideas?

    1. Hi, you should look in the Apache logs and see if you get a lot of 404 errors, and then check if you have a different path in your SSL config compared to the regular.

    2. Did you get the styles to work again? I’m having the same issue, not sure how to fix it. Any assistance would be great!!

      1. Yes, I got the styles working again. Just had to change the path to the SSL installation, but I do not have any MediWiki sites left to administer so I cannot help you any further.

Comments are closed.