WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/27/2008 05:46:01 PM (14 years ago)
Author:
ryan
Message:

First cut and better admin SSL support. see #7001

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r7996 r7998  
    470470function wp_validate_auth_cookie($cookie = '') {
    471471    if ( empty($cookie) ) {
    472         if ( empty($_COOKIE[AUTH_COOKIE]) )
     472        if ( is_ssl() )
     473            $cookie_name = SECURE_AUTH_COOKIE;
     474        else
     475            $cookie_name = AUTH_COOKIE;
     476
     477        if ( empty($_COOKIE[$cookie_name]) )
    473478            return false;
    474         $cookie = $_COOKIE[AUTH_COOKIE];
     479        $cookie = $_COOKIE[$cookie_name];
    475480    }
    476481
     
    515520 * @param int $user_id User ID
    516521 * @param int $expiration Cookie expiration in seconds
     522 * @param bool $secure Whether the cookie is for https delivery only or not.  Not used by default.  For plugin use.
    517523 * @return string Authentication cookie contents
    518524 */
    519 function wp_generate_auth_cookie($user_id, $expiration) {
     525function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
    520526    $user = get_userdata($user_id);
    521527
     
    525531    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
    526532
    527     return apply_filters('auth_cookie', $cookie, $user_id, $expiration);
     533    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
    528534}
    529535endif;
     
    551557    }
    552558
    553     $cookie = wp_generate_auth_cookie($user_id, $expiration);
    554 
    555     do_action('set_auth_cookie', $cookie, $expire);
    556 
    557     setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
     559    if ( is_ssl() ) {
     560        $secure = true;
     561        $cookie_name = SECURE_AUTH_COOKIE;
     562    } else {
     563        $secure = false;
     564        $cookie_name = AUTH_COOKIE;
     565    }
     566
     567    $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
     568
     569    do_action('set_auth_cookie', $cookie, $expire, $secure);
     570
     571    setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
    558572    if ( COOKIEPATH != SITECOOKIEPATH )
    559         setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
     573        setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
    560574}
    561575endif;
     
    570584    setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    571585    setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     586    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     587    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    572588
    573589    // Old cookies
     
    605621function auth_redirect() {
    606622    // Checks if a user is logged in, if not redirects them to the login page
    607     if ( (!empty($_COOKIE[AUTH_COOKIE]) &&
    608                 !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) ||
    609             (empty($_COOKIE[AUTH_COOKIE])) ) {
    610         nocache_headers();
    611 
    612         wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
    613         exit();
    614     }
     623
     624    if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
     625        $secure = true;
     626    else
     627        $secure = false;
     628
     629    // If https is required and request is http, redirect
     630    if ( $secure && !is_ssl() ) {
     631        if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
     632            wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
     633            exit();
     634        } else {
     635            wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
     636            exit();         
     637        }
     638    }
     639
     640    if ( wp_validate_auth_cookie() )
     641        return;  // The cookie is good so we're done
     642
     643    // The cookie is no good so force login
     644    nocache_headers();
     645
     646    $login_url = get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']);
     647
     648    //  Redirect to https if connection is secure
     649    if ( $secure )
     650        $login_url = str_replace('http://', 'https://', $login_url);
     651    wp_redirect($login_url);
     652    exit();
    615653}
    616654endif;
Note: See TracChangeset for help on using the changeset viewer.