[buddypress-trac] [BuddyPress] #4822: Login redirects to https when FORCE_ADMIN_SSL enabled

buddypress-trac noreply at wordpress.org
Tue Feb 12 23:19:21 UTC 2013

#4822: Login redirects to https when FORCE_ADMIN_SSL enabled
 Reporter:  will_c       |      Owner:
     Type:  defect       |     Status:  new
  (bug)                  |  Milestone:  Awaiting Review
 Priority:  normal       |    Version:  1.7
Component:  Core         |   Keywords:  has-patch dev-feedback needs-
 Severity:  normal       |  testing
 Using WP 3.5 and BP 1.7 trunk, I am experiencing issues where the user is
 redirected to an https version of the site when logging in (initially
 incorrectly) using the sidebar login widget. I believe I have tracked down
 these issues to problems with bp_core_login_redirect() and how
 bp_get_root_domain() handles retrieving the site url during login. In my
 mind this is a fairly significant bug because of the potential
 complications with cross domain requests.

 To replicate this issue:
 2. Use the bp-default theme
 3. Attempt to login from the homepage (or any other page) using incorrect
 credentials. This will redirect you to https://[your url]/wp-login.php.
 4. Input the correct credentials and you will be redirected to
 https://[your site].com
 ''4a. This issue also appears if you manually add a relative redirect_to
 value rather than an absolute one to the login url. This patch '''does
 not''' fix this issue.''

 As far as I can tell, this issue stems from more serious issues with how
 WP core deals with FORCE_ADMIN_SSL and is part of a much larger problem.
 The issue is that when the user is on the wp-login page, they are using
 https, and at that point, home_url(), site_url(), network_site_url(), etc.
 all return the https variant of the site url. It seems that this issue
 stems from the is_ssl() function that simply checks the $_SERVER global
 for 'HTTPS' and 'HTTPS_PORT', which at that point is true. This becomes a
 problem because bp_get_root_domain calls either $bp->root_domain or
 bp_core_get_root_domain() - which calls get_home_url(). Both of these
 return the https variant of the site url.

 My proposed solution would add a check when a user isn't logged in to see
 if a redirect_to variable had been passed to wp-login.php. If it hasn't,
 it sets the redirect_to variable to wp_get_referer() so that the user is
 redirected back to where they came from using the same protocol that they
 had been using on the front end. I also added checks to prevent redirect
 loops. This should work with plugins that modify the $redirect_to variable
 themselves (as long as they use absolute urls).

 With this new solution, I wasn't able to find a test case that would then
 proceed in bp_core_login_redirect() down to bp_get_root_domain(), so I
 would be fine getting rid of it, but kept it in for now.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4822>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list