#19723 closed defect (bug) (wontfix)
Setting only SSL_Login does not force SSL Login
Reported by: | ccolotti | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.3 |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
I have notcied on 3.3 multi-site if Force_SSL_Login only is set it is actually not redirected to SSL. Only when BOTH force SSL_admin and SSL_Login are set do you get the SSL login page. I am running the default multi-site .htacess as specified by the multisite setup. I am not sure if that needs to be modified, but it never had to be changed before 3.3
Attachments (1)
Change History (6)
#1
@
13 years ago
- Cc kpayne@… added
- Component changed from General to Security
- Keywords has-patch added
#2
follow-up:
↓ 3
@
13 years ago
FORCE_SSL_LOGIN only forces that the credentials get sent over HTTPS, not the accessing of wp-login.php itself. If you want everything to be SSL you should set FORCE_SSL_ADMIN.
#3
in reply to:
↑ 2
@
13 years ago
Replying to nacin:
FORCE_SSL_LOGIN only forces that the credentials get sent over HTTPS, not the accessing of wp-login.php itself. If you want everything to be SSL you should set FORCE_SSL_ADMIN.
That makes sense. One would think that switch would at least just make the login page also SSL so you know you are secure. I know it is SENT over SSL when you submit.
#4
@
13 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
This is done as part of the support for allowing logins over https or http. Visiting wp-login.php via https results in SSL-only cookies and redirection to the https admin. Visiting wp-login.php via http results in non-SSL cookies and redirection to the http admin. Currently, those who want wp-login.php to always be delivered over SLL must FORCE_SSL_ADMIN or use a plugin.
I can reproduce this in multisite and single site on 3.3.1. Patch 19723.patch forces an SSL login if the
FORCE_SSL_LOGIN
constant is set in wp-config.php regardless ofFORCE_SSL_ADMIN
.One note: If
FORCE_SSL_ADMIN
is true, the URL returned fromwp_login_url()
(e.g. the "Log in" link in the sidebar in twentyeleven) will always be SSL, regardless of my patch. This seems like a minor impact, but it should be noted that front-end users will login over SSL even whenFORCE_SSL_LOGIN
is not set.