[wp-trac] [WordPress Trac] #16869: Links from admin panel to site don't use HTTPS
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 16 21:29:11 UTC 2011
#16869: Links from admin panel to site don't use HTTPS
----------------------------+-----------------------------
Reporter: F30 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 3.1
Severity: normal | Keywords:
----------------------------+-----------------------------
Since version 3.0, Wordpress automatically changes all links to an
'https://' url if a request is made via SSL, even if the site address is
set to an 'http://' url. This is important in dual-stack setups, when you
want a site to be accessible via both HTTP and HTTPS.
However, this (as far as I have figured out) doesn't work for links which
point from somewhere in the administration panel somewhere in the site,
the most visible of the being the 'Visit Site' link at the top. This means
that if you as a site administrator use those links, you are suddenly
making unencrypted requests without even noticing it very much.
In a situation where you rely on SSL security, your cookie information is
being exposed. Although the cookie submitted via HTTP is not valid for the
admin panel, a possible attacker could take over your frontend session and
e.g. post comments under your identity. It also creates some inconvenience
as you have to log in again when changing back to the admin panel.
Since it seems to be a common setup only to do administration via SSL (wp-
config even has an 'FORCE_SSL_ADMIN' option), it might be hard to figure
out if all site links can or should be changed to 'https', too.
But the current behavior is at least annoying and in my opinion also not
secure for users.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16869>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list