#12194 closed defect (bug) (invalid)
using FORCE_SSL_LOGIN and wp-login.php?redirect_to=somepage sometimes redirects to https
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.8.6 |
| Component: | General | Keywords: | FORCE_SSL_LOGIN FORCE_SSL_ADMIN wp-login.php redirect SSL https |
| Focuses: | Cc: |
Description
I'm using Wordpress MU 2.8.6, and this also seems to occur in Wordpress 2.7.1.
If you have FORCE_SSL_LOGIN enabled in wp-config.php, are logged out of Wordpress, and visit any page through wp-login.php?redirect_to=somepage, it will redirect to https.
For example, if you're not logged in and you visit:
http://blog.example.com/wp-login.php?redirect_to=/
after logging in, it will send you to:
or if you visit (once again, you have to be logged out):
http://blog.example.com/wp-login.php?redirect_to=/feed/
it will send you to:
https://blog.example.com/feed/
It doesn't appear to do this for backend pages (wp-admin).
This bug shows up particularly when using plugins that make you log in to see protected blog content, such as the More Privacy Options plugin, although the bug manifests itself with or without those plugins installed.
I enabled FORCE_SSL_ADMIN and tested the same thing, and it creates a redirect loop.
FORCE_SSL_ADMIN redirects
http://blog.example.com/wp-login.php?redirect_to=/
to
https://blog.example.com/wp-login.php?redirect_to=/
The redirect_to is a relative (to the current url) link which is running under SSL. Use an absolute link for redirect_to.