WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#12194 closed defect (bug) (invalid)

using FORCE_SSL_LOGIN and wp-login.php?redirect_to=somepage sometimes redirects to https

Reported by: vanillaxtrakt Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.8.6
Component: General Keywords: FORCE_SSL_LOGIN FORCE_SSL_ADMIN wp-login.php redirect SSL https
Focuses: Cc:

Description

I'm using Wordpress MU 2.8.6, and this also seems to occur in Wordpress 2.7.1.

If you have FORCE_SSL_LOGIN enabled in wp-config.php, are logged out of Wordpress, and visit any page through wp-login.php?redirect_to=somepage, it will redirect to https.

For example, if you're not logged in and you visit:

http://blog.example.com/wp-login.php?redirect_to=/

after logging in, it will send you to:

https://blog.example.com/

or if you visit (once again, you have to be logged out):

http://blog.example.com/wp-login.php?redirect_to=/feed/

it will send you to:

https://blog.example.com/feed/

It doesn't appear to do this for backend pages (wp-admin).

This bug shows up particularly when using plugins that make you log in to see protected blog content, such as the More Privacy Options plugin, although the bug manifests itself with or without those plugins installed.

I enabled FORCE_SSL_ADMIN and tested the same thing, and it creates a redirect loop.

Change History (2)

comment:1 @wpmuguru6 years ago

  • Resolution set to invalid
  • Status changed from new to closed

FORCE_SSL_ADMIN redirects

http://blog.example.com/wp-login.php?redirect_to=/

to

https://blog.example.com/wp-login.php?redirect_to=/

The redirect_to is a relative (to the current url) link which is running under SSL. Use an absolute link for redirect_to.

comment:2 @nacin6 years ago

  • Milestone Unassigned deleted
Note: See TracTickets for help on using tickets.