[buddypress-trac] [BuddyPress] #4822: Login redirects to https when FORCE_ADMIN_SSL enabled
buddypress-trac
noreply at wordpress.org
Tue Feb 12 23:19:21 UTC 2013
#4822: Login redirects to https when FORCE_ADMIN_SSL enabled
-------------------------+-------------------------------------------------
Reporter: will_c | Owner:
Type: defect | Status: new
(bug) | Milestone: Awaiting Review
Priority: normal | Version: 1.7
Component: Core | Keywords: has-patch dev-feedback needs-
Severity: normal | testing
-------------------------+-------------------------------------------------
Using WP 3.5 and BP 1.7 trunk, I am experiencing issues where the user is
redirected to an https version of the site when logging in (initially
incorrectly) using the sidebar login widget. I believe I have tracked down
these issues to problems with bp_core_login_redirect() and how
bp_get_root_domain() handles retrieving the site url during login. In my
mind this is a fairly significant bug because of the potential
complications with cross domain requests.
To replicate this issue:
1. Enable FORCE_ADMIN_SSL
2. Use the bp-default theme
3. Attempt to login from the homepage (or any other page) using incorrect
credentials. This will redirect you to https://[your url]/wp-login.php.
4. Input the correct credentials and you will be redirected to
https://[your site].com
''4a. This issue also appears if you manually add a relative redirect_to
value rather than an absolute one to the login url. This patch '''does
not''' fix this issue.''
As far as I can tell, this issue stems from more serious issues with how
WP core deals with FORCE_ADMIN_SSL and is part of a much larger problem.
The issue is that when the user is on the wp-login page, they are using
https, and at that point, home_url(), site_url(), network_site_url(), etc.
all return the https variant of the site url. It seems that this issue
stems from the is_ssl() function that simply checks the $_SERVER global
for 'HTTPS' and 'HTTPS_PORT', which at that point is true. This becomes a
problem because bp_get_root_domain calls either $bp->root_domain or
bp_core_get_root_domain() - which calls get_home_url(). Both of these
return the https variant of the site url.
My proposed solution would add a check when a user isn't logged in to see
if a redirect_to variable had been passed to wp-login.php. If it hasn't,
it sets the redirect_to variable to wp_get_referer() so that the user is
redirected back to where they came from using the same protocol that they
had been using on the front end. I also added checks to prevent redirect
loops. This should work with plugins that modify the $redirect_to variable
themselves (as long as they use absolute urls).
With this new solution, I wasn't able to find a test case that would then
proceed in bp_core_login_redirect() down to bp_get_root_domain(), so I
would be fine getting rid of it, but kept it in for now.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4822>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list