WordPress.org

Make WordPress Core

Changeset 14556


Ignore:
Timestamp:
05/11/2010 01:44:40 PM (8 years ago)
Author:
ryan
Message:

Force reauth when auth_redirect() redirects to login. see #12142

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/general-template.php

    r14499 r14556  
    229229 *
    230230 * @param string $redirect Path to redirect to on login.
    231  */
    232 function wp_login_url($redirect = '') {
     231 * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. Default is false.
     232 * @return string A log in url
     233 */
     234function wp_login_url($redirect = '', $force_reauth = false) {
    233235    $login_url = site_url('wp-login.php', 'login');
    234236
    235     if ( !empty($redirect) ) {
     237    if ( !empty($redirect) )
    236238        $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url);
    237     }
     239
     240    if ( $force_reauth )
     241        $login_url = add_query_arg('reauth', '1', $login_url);
    238242
    239243    return apply_filters('login_url', $login_url, $redirect);
  • trunk/wp-includes/pluggable.php

    r14458 r14556  
    800800    $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    801801
    802     $login_url = wp_login_url($redirect);
     802    $login_url = wp_login_url($redirect, true);
    803803
    804804    wp_redirect($login_url);
  • trunk/wp-login.php

    r14428 r14556  
    521521    }
    522522
     523    $reauth = empty($_REQUEST['reauth']) ? false : true;
     524
    523525    // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
    524526    // cookie and redirect back to the referring non-secure admin page.  This allows logins to always be POSTed over SSL while allowing the user to choose visiting
     
    531533    $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user);
    532534
    533     if ( !is_wp_error($user) ) {
     535    if ( !is_wp_error($user) && !$reauth ) {
    534536        if ( $interim_login ) {
    535537            $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
     
    550552    $errors = $user;
    551553    // Clear errors if loggedout is set.
    552     if ( !empty($_GET['loggedout']) )
     554    if ( !empty($_GET['loggedout']) || $reauth )
    553555        $errors = new WP_Error();
    554556
     
    570572    elseif  ( $interim_login )
    571573        $errors->add('expired', __('Your session has expired. Please log-in again.'), 'message');
     574
     575    // Clear any stale cookies.
     576    if ( $reauth )
     577        wp_clear_auth_cookie();
    572578
    573579    login_header(__('Log In'), '', $errors);
Note: See TracChangeset for help on using the changeset viewer.