Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 7956) +++ wp-includes/functions.php (working copy) @@ -1765,4 +1765,7 @@ return 0; } +function is_ssl() { + return ( 'on' == $_SERVER['HTTPS'] ) ? true : false; +} ?> Index: wp-includes/link-template.php =================================================================== --- wp-includes/link-template.php (revision 7956) +++ wp-includes/link-template.php (working copy) @@ -774,4 +774,45 @@ return apply_filters('shortcut_link', $link); } + +function admin_url($path = '') { + global $_wp_admin_url; + + if ( !isset($_wp_admin_url) ) { + $_wp_admin_url = get_option( 'siteurl' ) . '/wp-admin/'; + if ( is_ssl() ) + $_wp_admin_url = str_replace('http://', 'https://', $_wp_admin_url); + } + + $url = $_wp_admin_url; + + if ( !empty($path) ) + $url .= ltrim($path, '/'); + + if ( is_ssl() ) + $url = str_replace('http://', 'https://', $url); + + return $url; +} + +function includes_url($path = '') { + global $_wp_includes_url; + + if ( !isset($_wp_includes_url) ) { + $_wp_includes_url = get_option( 'siteurl' ) . '/' . WPINC . '/'; + if ( is_ssl() ) + $_wp_includes_url = str_replace('http://', 'https://', $_wp_includes_url); + } + + $url = $_wp_includes_url; + + if ( !empty($path) ) + $url .= ltrim($path, '/'); + + if ( is_ssl() ) + $url = str_replace('http://', 'https://', $url); + + return $url; +} + ?> Index: wp-includes/general-template.php =================================================================== --- wp-includes/general-template.php (revision 7956) +++ wp-includes/general-template.php (working copy) @@ -1136,7 +1136,7 @@ $_file = $color->url; $_file = ('css/colors-rtl' == $file) ? str_replace('.css','-rtl.css',$_file) : $_file; } else { - $_file = get_option( 'siteurl' ) . "/wp-admin/$file.css"; + $_file = admin_url("$file.css"); } } $_file = add_query_arg( 'version', get_bloginfo( 'version' ), $_file ); Index: wp-includes/pluggable.php =================================================================== --- wp-includes/pluggable.php (revision 7956) +++ wp-includes/pluggable.php (working copy) @@ -469,9 +469,14 @@ */ function wp_validate_auth_cookie($cookie = '') { if ( empty($cookie) ) { - if ( empty($_COOKIE[AUTH_COOKIE]) ) + if ( is_ssl() ) + $cookie_name = SECURE_AUTH_COOKIE; + else + $cookie_name = AUTH_COOKIE; + + if ( empty($_COOKIE[$cookie_name]) ) return false; - $cookie = $_COOKIE[AUTH_COOKIE]; + $cookie = $_COOKIE[$cookie_name]; } $cookie_elements = explode('|', $cookie); @@ -514,9 +519,10 @@ * * @param int $user_id User ID * @param int $expiration Cookie expiration in seconds + * @param bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use. * @return string Authentication cookie contents */ -function wp_generate_auth_cookie($user_id, $expiration) { +function wp_generate_auth_cookie($user_id, $expiration, $secure = false) { $user = get_userdata($user_id); $key = wp_hash($user->user_login . '|' . $expiration); @@ -524,7 +530,7 @@ $cookie = $user->user_login . '|' . $expiration . '|' . $hash; - return apply_filters('auth_cookie', $cookie, $user_id, $expiration); + return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure); } endif; @@ -550,13 +556,21 @@ $expire = 0; } - $cookie = wp_generate_auth_cookie($user_id, $expiration); + if ( is_ssl() ) { + $secure = true; + $cookie_name = SECURE_AUTH_COOKIE; + } else { + $secure = false; + $cookie_name = AUTH_COOKIE; + } - do_action('set_auth_cookie', $cookie, $expire); + $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure); - setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); + do_action('set_auth_cookie', $cookie, $expire, $secure); + + setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure); if ( COOKIEPATH != SITECOOKIEPATH ) - setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); + setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure); } endif; @@ -569,6 +583,8 @@ function wp_clear_auth_cookie() { setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); + setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); + setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); // Old cookies setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); @@ -604,14 +620,36 @@ */ function auth_redirect() { // Checks if a user is logged in, if not redirects them to the login page - if ( (!empty($_COOKIE[AUTH_COOKIE]) && - !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || - (empty($_COOKIE[AUTH_COOKIE])) ) { - nocache_headers(); - wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); - exit(); + if ( is_ssl() || (defined('FORCE_HTTPS_LOGIN') && FORCE_HTTPS_LOGIN) ) + $secure = true; + else + $secure = false; + + // If https is required and request is http, redirect + if ( $secure && !is_ssl() ) { + if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) { + wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI'])); + exit(); + } else { + wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); + exit(); + } } + + if ( wp_validate_auth_cookie() ) + return; // The cookie is good so we're done + + // The cookie is no good so force login + nocache_headers(); + + $login_url = get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']); + + // Redirect to https if connection is secure + if ( $secure ) + $login_url = str_replace('http://', 'https://', $login_url); + wp_redirect($login_url); + exit(); } endif; Index: wp-includes/script-loader.php =================================================================== --- wp-includes/script-loader.php (revision 7956) +++ wp-includes/script-loader.php (working copy) @@ -137,11 +137,11 @@ $this->add( 'upload', '/wp-admin/js/upload.js', array('jquery'), '20070518' ); $this->add( 'postbox', '/wp-admin/js/postbox.js', array('jquery'), '20080128' ); $this->localize( 'postbox', 'postboxL10n', array( - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), ) ); $this->add( 'slug', '/wp-admin/js/slug.js', array('jquery'), '20080208' ); $this->localize( 'slug', 'slugL10n', array( - 'requestFile' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php', + 'requestFile' => admin_url('admin-ajax.php'), 'save' => __('Save'), 'cancel' => __('Cancel'), ) ); Index: wp-settings.php =================================================================== --- wp-settings.php (revision 7956) +++ wp-settings.php (working copy) @@ -307,6 +307,13 @@ /** * It is possible to define this in wp-config.php + * @since 2.6 + */ +if ( !defined('SECURE_AUTH_COOKIE') ) + define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH); + +/** + * It is possible to define this in wp-config.php * @since 2.3.0 */ if ( !defined('TEST_COOKIE') ) Index: wp-admin/admin.php =================================================================== --- wp-admin/admin.php (revision 7956) +++ wp-admin/admin.php (working copy) @@ -26,8 +26,8 @@ wp_reset_vars(array('profile', 'redirect', 'redirect_url', 'a', 'popuptitle', 'popupurl', 'text', 'trackback', 'pingback')); -wp_admin_css_color('classic', __('Classic'), get_option( 'siteurl' ) . "/wp-admin/css/colors-classic.css", array('#07273E', '#14568A', '#D54E21', '#2683AE')); -wp_admin_css_color('fresh', __('Fresh'), get_option( 'siteurl' ) . "/wp-admin/css/colors-fresh.css", array('#464646', '#CEE1EF', '#D54E21', '#2683AE')); +wp_admin_css_color('classic', __('Classic'), admin_url("css/colors-classic.css"), array('#07273E', '#14568A', '#D54E21', '#2683AE')); +wp_admin_css_color('fresh', __('Fresh'), admin_url("css/colors-fresh.css"), array('#464646', '#CEE1EF', '#D54E21', '#2683AE')); wp_enqueue_script( 'common' ); wp_enqueue_script( 'jquery-color' );