Ticket #9207: 9207.patch

wp-includes/functions.php

@@ -3164 +3164 @@
 }
 
 /**
- * Whether to force SSL used for the Administration Panels.
+ * Wether or not to force SSL used for the Admin.
+ * 
+ * Statefull automata with two states: true and false.
  *
  * @since 2.6.0
  *
- * @param string|bool $force
- * @return bool True if forced, false if not forced.
+ * @param  bool $force (optional) set the state
+ * @return bool true if forced, fakse if not.
  */
 function force_ssl_admin( $force = null ) {
         static $forced = false;
 
-        if ( !is_null( $force ) ) {
-                $old_forced = $forced;
-                $forced = $force;
-                return $old_forced;
-        }
+        $old = $forced;
 
-        return $forced;
+        if ( ! is_null( $force ) )
+                $forced  = (bool) $force;
+
+        return $old;
 }
 
 /**

wp-login.php

@@ -454 +454 @@
 
 case 'login' :
 default:
-        $secure_cookie = '';
-        $interim_login = isset($_REQUEST['interim-login']);
+        $interim_login = isset( $_REQUEST['interim-login'] );
 
-        // If the user wants ssl but the session is not ssl, force a secure cookie.
-        if ( !empty($_POST['log']) && !force_ssl_admin() ) {
-                $user_name = sanitize_user($_POST['log']);
-                if ( $user = get_userdatabylogin($user_name) ) {
-                        if ( get_user_option('use_ssl', $user->ID) ) {
-                                $secure_cookie = true;
-                                force_ssl_admin(true);
-                        }
-                }
+        /* set $secure_cookie (SSL) */
+
+        $secure_cookie = false;
+        
+        if ( FORCE_SSL_ADMIN ) {
+                // If configured to ssl, use secure cookie.
+                $secure_cookie = true;
+        } elseif ( 
+                        ! empty( $_POST['log'] )
+                        && ! force_ssl_admin()
+                        && $user = get_userdatabylogin( sanitize_user($_POST['log']) )
+                        && get_user_option( 'use_ssl', $user->ID )
+        ) {
+                // If the user wants ssl but the session is not ssl, use a secure cookie.
+                $secure_cookie = true;
         }
 
+        if ( $secure_cookie )
+                force_ssl_admin( true );
+
+        /* set $redirect_to */
+                
+        $redirect_to = admin_url(  );
+
         if ( isset( $_REQUEST['redirect_to'] ) ) {
                 $redirect_to = $_REQUEST['redirect_to'];
                 // Redirect to https if user wants ssl
-                if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') )
-                        $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to);
-        } else {
-                $redirect_to = admin_url();
+                if ( $secure_cookie && false !== strpos( $redirect_to, 'wp-admin' ) )
+                        $redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to );
         }
 
         if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )