Visibility: password-protected breaks with redirected domains

[monkeyhouse]

Pre-requisite to reproduce: domain.com must redirect to www.domain.com (haven't tested with other subdomains than www, but I'm sure it would be the same).

1. password protect a page
2. visit domain.com/protected (which redirects to www.domain.com/protected)
3. enter password
4. something about the redirect OR the way the password is stored/checked is broken; you are redirected to the wp-admin (WordPress login) page.

Sanity check:

1. password protect a page
2. visit www.domain.com/protected (requiring no subdomain redirect)
3. enter password
4. successful log-in

Tried the procedure you describe and it works fine for me. Are you using server rewrite rules to do the non-www -> www redirect?

Confirmed.

1. Visited ​http://127.0.0.1/wordpress/password-protected-post/
2. Entered password, Form submitted to ​http://localhost/wordpress/wp-pass.php
3. Redirected to ​http://localhost/wordpress/wp-admin/

This is caused by wp-post.php using wp_safe_redirect(wp_get_referer()); for the redirection.

Since the referer is set to ​http://127... instead of ​http://localhost.. and i'm logged in, it'll redirect me to the WordPress admin.

Ideally, the best way to do this would be to POST the post_id along to wp-pass.php as well, and redirect to get_permalink($post_id);

Replying to dd32:

Ideally, the best way to do this would be to POST the post_id along to wp-pass.php as well, and redirect to get_permalink($post_id);

Taken a slightly different approach by forcing _wp_http_referer to be the permalink. Was unable to quickly reproduce the problem for testing, but this should work.

makes a bit more sense there.

Also related, and I'll probably fix at the same time: #16483

I was able to recreate the problem with version 3.5-alpha-21751 and installed the patch.
The patch corrected the redirect for me. I am unsure if there may be a better way to handle this but it works.