id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
9207	redirect_to wp-admin Should Force SSL If FORCE_SSL_ADMIN is enabled	g30rg3x	hakre	"Around Lines 406 to 426 on wp-login.php:

{{{
	$secure_cookie = '';

	// If the user wants ssl but the session is not ssl, force a secure cookie.
	if ( !empty($_POST['log']) && !force_ssl_admin() ) {
		$user_name = sanitize_user($_POST['log']);
		if ( $user = get_userdatabylogin($user_name) ) {
			if ( get_user_option('use_ssl', $user->ID) ) {
				$secure_cookie = true;
				force_ssl_admin(true);
			}
		}
	}

	if ( isset( $_REQUEST['redirect_to'] ) ) {
		$redirect_to = $_REQUEST['redirect_to'];
		// Redirect to https if user wants ssl
		if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') )
			$redirect_to = preg_replace('|^http://|', 'https://', $redirect_to);
	} else {
		$redirect_to = admin_url();
	}
}}}

As we can see on the present code, if a redirection is set while login and this redirection goes to the plain version of the dashboard then client will go to the non-SSL version of the dashboard which therefore will move the client to the secure version (generating and extra request).[[BR]]
I know this is kinda a tongue twister sentence so i think is better to put a request example of the problem...

Client: POST http://foo.bar/wp-login.php?redirect_to=http%3A%2F%2Ffoo.bar%2Fwp-admin%2Findex.php [[BR]]
Server: HTTP 302 ... Location: http://foo.bar/wp-admin/index.php [[BR]]
Client: GET http://foo.bar/wp-admin/index.php [[BR]]
Server: HTTP 302 ... Location: https://foo.bar/wp-admin/index.php

I know that wordpress is actually working as suppose to work (cause we told to move to non-SSL version of the dashboard) but and a extra http request is issued.[[BR]]
IMHO if we (admins) have enabled FORCE_SSL_ADMIN, then all redirections to wp-admin should go SSL/HTTPs even if we fill redirect_to with the plain version of the dashboard.[[BR]]
There is part of the code that detect this and replace it but it has issues or well it isn't prepared to do this.[[BR]]
At the moment we can filter login_redirect to fix this but (again) IMHO this should move to the core..."	defect (bug)	accepted	normal	Future Release	Security	2.9	normal		has-patch reporter-feedback	keytuna