Changeset 8197

Timestamp:

06/26/2008 04:40:04 PM (15 years ago)

Author:

ryan

Message:

Only use SSL for login POST links if SSL logins are forced. Clear old cookies. see #7001

Location:

trunk

Files:

• wp-includes/link-template.php (modified) (1 diff)
• wp-includes/pluggable.php (modified) (1 diff)
• wp-login.php (modified) (5 diffs)

trunk/wp-includes/link-template.php

@@ -782 +782 @@
     // should the list of allowed schemes be maintained elsewhere?
     if ( !in_array($scheme, array('http', 'https')) ) {
-        if ( ('login' == $scheme) && ( force_ssl_login() || force_ssl_admin() ) )
+        if ( ('login_post' == $scheme) && ( force_ssl_login() || force_ssl_admin() ) )
+            $scheme = 'https';
+        elseif ( ('login' == $scheme) && ( force_ssl_admin() ) )
             $scheme = 'https';
         elseif ( ('admin' == $scheme) && force_ssl_admin() )

trunk/wp-includes/pluggable.php

@@ -611 +611 @@
     setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+    setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+    setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);

trunk/wp-login.php

@@ -13 +13 @@
 
 // Redirect to https login if forced to use SSL
-if ( (force_ssl_admin() || force_ssl_login()) && !is_ssl() ) {
+if ( force_ssl_admin() && !is_ssl() ) {
     if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
         wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
@@ -313 +313 @@
 ?>
 
-<form name="lostpasswordform" id="lostpasswordform" action="wp-login.php?action=lostpassword" method="post">
+<form name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url('wp-login.php?action=lostpassword', 'login_post') ?>" method="post">
     <p>
         <label><?php _e('Username or E-mail:') ?><br />
@@ -377 +377 @@
 ?>
 
-<form name="registerform" id="registerform" action="wp-login.php?action=register" method="post">
+<form name="registerform" id="registerform" action="<?php echo siteu_url('wp-login.php?action=register', 'login_post') ?>" method="post">
     <p>
         <label><?php _e('Username') ?><br />
@@ -410 +410 @@
         $redirect_to = $_REQUEST['redirect_to'];
     else
-        $redirect_to = 'wp-admin/';
+        $redirect_to = admin_url();
 
     if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
@@ -446 +446 @@
 ?>
 
-<form name="loginform" id="loginform" action="wp-login.php" method="post">
+<form name="loginform" id="loginform" action="<?php echo site_url('wp-login.php', 'login_post') ?>" method="post">
 <?php if ( !isset($_GET['checkemail']) || !in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
     <p>