[wp-trac] [WordPress Trac] #9207: redirect_to wp-admin Should Force
SSL If FORCE_SSL_ADMIN is enabled
WordPress Trac
wp-trac at lists.automattic.com
Sat Feb 21 22:36:07 GMT 2009
#9207: redirect_to wp-admin Should Force SSL If FORCE_SSL_ADMIN is enabled
--------------------------+-------------------------------------------------
Reporter: g30rg3x | Owner: anonymous
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: General | Version:
Severity: normal | Keywords: 2nd-opinion
--------------------------+-------------------------------------------------
Around Lines 406 to 426 on wp-login.php:
{{{
$secure_cookie = '';
// If the user wants ssl but the session is not ssl, force a
secure cookie.
if ( !empty($_POST['log']) && !force_ssl_admin() ) {
$user_name = sanitize_user($_POST['log']);
if ( $user = get_userdatabylogin($user_name) ) {
if ( get_user_option('use_ssl', $user->ID) ) {
$secure_cookie = true;
force_ssl_admin(true);
}
}
}
if ( isset( $_REQUEST['redirect_to'] ) ) {
$redirect_to = $_REQUEST['redirect_to'];
// Redirect to https if user wants ssl
if ( $secure_cookie && false !== strpos($redirect_to, 'wp-
admin') )
$redirect_to = preg_replace('|^http://|',
'https://', $redirect_to);
} else {
$redirect_to = admin_url();
}
}}}
As we can see on the present code, if a redirection is set while login and
this redirection goes to the plain version of the dashboard then client
will go to the non-SSL version of the dashboard which therefore will move
the client to the secure version (generating and extra request).[[BR]]
I know this is kinda a tongue twister sentence so i think is better to put
a request example of the problem...
Client: POST http://foo.bar/wp-login.php?redirect_to=http%3A%2F%2Ffoo.bar
%2Fwp-admin%2Findex.php [[BR]]
Server: HTTP 302 ... Location: http://foo.bar/wp-admin/index.php [[BR]]
Client: GET http://foo.bar/wp-admin/index.php [[BR]]
Server: HTTP 302 ... Location: https://foo.bar/wp-admin/index.php
I know that wordpress is actually working as suppose to work (cause we
told to move to non-SSL version of the dashboard) but and a extra http
request is issued.[[BR]]
IMHO if we (admins) have enabled FORCE_SSL_ADMIN, then all redirections to
wp-admin should go SSL/HTTPs even if we fill redirect_to with the plain
version of the dashboard.[[BR]]
There is part of the code that detect this and replace it but it has
issues or well it isn't prepared to do this.[[BR]]
At the moment we can filter login_redirect to fix this but (again) IMHO
this should move to the core...
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9207>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list