Index: wp-login.php
===================================================================
--- wp-login.php (revision 8065)
+++ wp-login.php (working copy)
@@ -11,6 +11,17 @@
/** Make sure that the WordPress bootstrap has ran before continuing. */
require( dirname(__FILE__) . '/wp-load.php' );
+// Redirect to https login if forced to use SSL
+if ( (force_ssl_admin() || force_ssl_login()) && !is_ssl() ) {
+ if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
+ wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
+ exit();
+ } else {
+ wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+ exit();
+ }
+}
+
/**
* login_header() - Outputs the header for the login page
*
@@ -137,7 +148,7 @@
$message .= get_option('siteurl') . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
- $message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n";
+ $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
die('' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '
');
@@ -174,7 +185,7 @@
wp_set_password($new_pass, $user->ID);
$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
- $message .= site_url('wp-login.php') . "\r\n";
+ $message .= site_url('wp-login.php', 'login') . "\r\n";
if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
die('' . __('The e-mail could not be sent.') . "
\n" . __('Possible reason: your host may have disabled the mail() function...') . '
');
@@ -312,10 +323,10 @@
- |
-
+ |
+
-
+
@@ -380,8 +391,8 @@
- |
-
+ |
+
@@ -395,13 +406,18 @@
case 'login' :
default:
- $user = wp_signon();
-
if ( isset( $_REQUEST['redirect_to'] ) )
$redirect_to = $_REQUEST['redirect_to'];
else
$redirect_to = 'wp-admin/';
+ if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) )
+ $secure_cookie = false;
+ else
+ $secure_cookie = '';
+
+ $user = wp_signon('', $secure_cookie);
+
if ( !is_wp_error($user) ) {
// If the user can't edit posts, send them to their profile.
if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
@@ -454,10 +470,10 @@
- |
-
+ |
+
-
+
Index: wp-includes/functions.php
===================================================================
--- wp-includes/functions.php (revision 8065)
+++ wp-includes/functions.php (working copy)
@@ -1768,4 +1768,29 @@
function is_ssl() {
return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false;
}
+
+function force_ssl_login($force = '') {
+ static $forced;
+
+ if ( '' != $force ) {
+ $old_forcded = $forced;
+ $forced = $force;
+ return $old_forced;
+ }
+
+ return $forced;
+}
+
+function force_ssl_admin($force = '') {
+ static $forced;
+
+ if ( '' != $force ) {
+ $old_forcded = $forced;
+ $forced = $force;
+ return $old_forced;
+ }
+
+ return $forced;
+}
+
?>
Index: wp-includes/user.php
===================================================================
--- wp-includes/user.php (revision 8065)
+++ wp-includes/user.php (working copy)
@@ -1,6 +1,6 @@
ID, $credentials['remember']);
+ wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
do_action('wp_login', $credentials['user_login']);
return $user;
}
Index: wp-includes/link-template.php
===================================================================
--- wp-includes/link-template.php (revision 8065)
+++ wp-includes/link-template.php (working copy)
@@ -780,8 +780,10 @@
function site_url($path = '', $scheme = null) {
// should the list of allowed schemes be maintained elsewhere?
if ( !in_array($scheme, array('http', 'https')) ) {
- if ( ('forceable' == $scheme) && (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
+ if ( ('login' == $scheme) && ( force_ssl_login() || force_ssl_admin() ) )
$scheme = 'https';
+ elseif ( ('admin' == $scheme) && force_ssl_admin() )
+ $scheme = 'https';
else
$scheme = ( is_ssl() ? 'https' : 'http' );
}
@@ -797,7 +799,7 @@
function admin_url($path = '') {
global $_wp_admin_url;
- $url = site_url('wp-admin/', 'forceable');
+ $url = site_url('wp-admin/', 'admin');
if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
$url .= ltrim($path, '/');
Index: wp-includes/general-template.php
===================================================================
--- wp-includes/general-template.php (revision 8065)
+++ wp-includes/general-template.php (working copy)
@@ -33,9 +33,9 @@
function wp_loginout() {
if ( ! is_user_logged_in() )
- $link = '' . __('Log in') . '';
+ $link = '' . __('Log in') . '';
else
- $link = '' . __('Log out') . '';
+ $link = '' . __('Log out') . '';
echo apply_filters('loginout', $link);
}
@@ -45,7 +45,7 @@
if ( ! is_user_logged_in() ) {
if ( get_option('users_can_register') )
- $link = $before . '' . __('Register') . '' . $after;
+ $link = $before . '' . __('Register') . '' . $after;
else
$link = '';
} else {
Index: wp-includes/pluggable.php
===================================================================
--- wp-includes/pluggable.php (revision 8065)
+++ wp-includes/pluggable.php (working copy)
@@ -100,8 +100,10 @@
return;
if ( ! $user = wp_validate_auth_cookie() ) {
- wp_set_current_user(0);
- return false;
+ if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
+ wp_set_current_user(0);
+ return false;
+ }
}
wp_set_current_user($user);
@@ -465,14 +467,18 @@
* @since 2.5
*
* @param string $cookie Optional. If used, will validate contents instead of cookie's
+ * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return bool|int False if invalid cookie, User ID if valid.
*/
-function wp_validate_auth_cookie($cookie = '') {
+function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
if ( empty($cookie) ) {
- if ( is_ssl() )
+ if ( is_ssl() ) {
$cookie_name = SECURE_AUTH_COOKIE;
- else
+ $scheme = 'secure_auth';
+ } else {
$cookie_name = AUTH_COOKIE;
+ $scheme = 'auth';
+ }
if ( empty($_COOKIE[$cookie_name]) )
return false;
@@ -495,7 +501,7 @@
if ( $expired < time() )
return false;
- $key = wp_hash($username . '|' . $expiration);
+ $key = wp_hash($username . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
if ( $hmac != $hash )
@@ -519,18 +525,18 @@
*
* @param int $user_id User ID
* @param int $expiration Cookie expiration in seconds
- * @param bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use.
+ * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return string Authentication cookie contents
*/
-function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
+function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
$user = get_userdata($user_id);
- $key = wp_hash($user->user_login . '|' . $expiration);
+ $key = wp_hash($user->user_login . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
$cookie = $user->user_login . '|' . $expiration . '|' . $hash;
- return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
+ return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
}
endif;
@@ -548,7 +554,7 @@
* @param int $user_id User ID
* @param bool $remember Whether to remember the user or not
*/
-function wp_set_auth_cookie($user_id, $remember = false) {
+function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
if ( $remember ) {
$expiration = $expire = time() + 1209600;
} else {
@@ -556,21 +562,29 @@
$expire = 0;
}
- if ( is_ssl() ) {
- $secure = true;
- $cookie_name = SECURE_AUTH_COOKIE;
+ if ( '' === $secure )
+ $secure = is_ssl() ? true : false;
+
+ if ( $secure ) {
+ $auth_cookie_name = SECURE_AUTH_COOKIE;
+ $scheme = 'secure_auth';
} else {
- $secure = false;
- $cookie_name = AUTH_COOKIE;
+ $auth_cookie_name = AUTH_COOKIE;
+ $scheme = 'auth';
}
- $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
+ $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
+ $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
- do_action('set_auth_cookie', $cookie, $expire, $secure);
+ do_action('set_auth_cookie', $auth_cookie, $expire, $scheme);
+ do_action('set_auth_cookie', $logged_in_cookie, $expire, 'logged_in');
- setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
- if ( COOKIEPATH != SITECOOKIEPATH )
- setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
+ setcookie($auth_cookie_name, $auth_cookie, $expire, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
+ setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
+ if ( COOKIEPATH != SITECOOKIEPATH ) {
+ setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
+ setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
+ }
}
endif;
@@ -581,10 +595,12 @@
* @since 2.5
*/
function wp_clear_auth_cookie() {
- setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
- setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
- setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
- setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+ setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+ setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+ setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+ setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+ setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+ setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
// Old cookies
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
@@ -621,7 +637,7 @@
function auth_redirect() {
// Checks if a user is logged in, if not redirects them to the login page
- if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
+ if ( is_ssl() || force_ssl_admin() )
$secure = true;
else
$secure = false;
@@ -643,8 +659,13 @@
// The cookie is no good so force login
nocache_headers();
- $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']), 'forceable' );
+ if ( is_ssl() )
+ $proto = 'https://';
+ else
+ $proto = 'http://';
+ $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login' );
+
wp_redirect($login_url);
exit();
}
@@ -971,7 +992,7 @@
$message = sprintf(__('Username: %s'), $user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
- $message .= site_url("wp-login.php", 'forceable') . "\r\n";
+ $message .= site_url("wp-login.php", 'login') . "\r\n";
wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);
@@ -1078,23 +1099,56 @@
*
* @return string Salt value from either 'SECRET_KEY' or 'secret' option
*/
-function wp_salt() {
+function wp_salt($scheme = 'auth') {
global $wp_default_secret_key;
$secret_key = '';
if ( defined('SECRET_KEY') && ('' != SECRET_KEY) && ( $wp_default_secret_key != SECRET_KEY) )
$secret_key = SECRET_KEY;
- if ( defined('SECRET_SALT') ) {
- $salt = SECRET_SALT;
- } else {
- $salt = get_option('secret');
- if ( empty($salt) ) {
- $salt = wp_generate_password();
- update_option('secret', $salt);
+ if ( 'auth' == $scheme ) {
+ if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
+ $secret_key = AUTH_KEY;
+
+ if ( defined('AUTH_SALT') ) {
+ $salt = AUTH_SALT;
+ } elseif ( defined('SECRET_SALT') ) {
+ $salt = SECRET_SALT;
+ } else {
+ $salt = get_option('auth_salt');
+ if ( empty($salt) ) {
+ $salt = wp_generate_password();
+ update_option('auth_salt', $salt);
+ }
}
+ } elseif ( 'secure_auth' == $scheme ) {
+ if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
+ $secret_key = SECURE_AUTH_KEY;
+
+ if ( defined('SECURE_AUTH_SALT') ) {
+ $salt = SECRET_AUTH_SALT;
+ } else {
+ $salt = get_option('secure_auth_salt');
+ if ( empty($salt) ) {
+ $salt = wp_generate_password();
+ update_option('secure_auth_salt', $salt);
+ }
+ }
+ } elseif ( 'logged_in' == $scheme ) {
+ if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
+ $secret_key = LOGGED_IN_KEY;
+
+ if ( defined('LOGGED_IN_SALT') ) {
+ $salt = LOGGED_IN_SALT;
+ } else {
+ $salt = get_option('logged_in_salt');
+ if ( empty($salt) ) {
+ $salt = wp_generate_password();
+ update_option('logged_in_salt', $salt);
+ }
+ }
}
- return apply_filters('salt', $secret_key . $salt);
+ return apply_filters('salt', $secret_key . $salt, $scheme);
}
endif;
@@ -1108,8 +1162,8 @@
* @param string $data Plain text to hash
* @return string Hash of $data
*/
-function wp_hash($data) {
- $salt = wp_salt();
+function wp_hash($data, $scheme = 'auth') {
+ $salt = wp_salt($scheme);
return hash_hmac('md5', $data, $salt);
}
Index: wp-settings.php
===================================================================
--- wp-settings.php (revision 8068)
+++ wp-settings.php (working copy)
@@ -334,6 +334,13 @@
/**
* It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('LOGGED_IN_COOKIE') )
+ define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);
+
+/**
+ * It is possible to define this in wp-config.php
* @since 2.3.0
*/
if ( !defined('TEST_COOKIE') )
@@ -359,9 +366,25 @@
*/
if ( !defined('COOKIE_DOMAIN') )
define('COOKIE_DOMAIN', false);
-
+
/**
* It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('FORCE_SSL_ADMIN') )
+ define('FORCE_SSL_ADMIN', false);
+force_ssl_admin(FORCE_SSL_ADMIN);
+
+/**
+ * It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('FORCE_SSL_LOGIN') )
+ define('FORCE_SSL_LOGIN', false);
+force_ssl_login(FORCE_SSL_LOGIN);
+
+/**
+ * It is possible to define this in wp-config.php
* @since 2.5.0
*/
if ( !defined( 'AUTOSAVE_INTERVAL' ) )
Index: wp-admin/admin-header.php
===================================================================
--- wp-admin/admin-header.php (revision 8065)
+++ wp-admin/admin-header.php (working copy)
@@ -111,7 +111,7 @@
-%2$s!'), 'profile.php', $user_identity) ?> | | Help') ?> | Forums') ?> |
%2$s!'), 'profile.php', $user_identity) ?> | | Help') ?> | Forums') ?> |