Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#22283 closed task (blessed) (duplicate)

Load login page over HTTPS if FORCE_SSL_LOGIN is set

Reported by: barry Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


Currently, if FORCE_SSL_LOGIN is set, we will make the HTTP POST request containing the username and password over SSL when logging in, but not the GET request for the login page. Users shouldn't have to examine HTML to figure out if their password is being sent in plain text. To ensure user confidence that they are logging in via an encrypted connection, we should redirect requests for the login page to https:// if FORCE_SSL_LOGIN, not only if FORCE_SSL_ADMIN is set. Troy Hunt explains the issue well in his post here - http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html

While FORCE_SSL_ADMIN is obviously "best" it is not always possible or practical, but this at least makes the login experience consistent.

Attachments (1)

22283.diff (493 bytes) - added by barry 6 years ago.

Download all attachments as: .zip

Change History (11)

6 years ago

#1 @nacin
6 years ago

ryan and I have talked about this before. The problem, from what I recall, is that when SSL login is forced but not admin, we evaluate the user's original request — http or https — to decide which admin they get. But looking at the code, I'm not entirely sure that's the case. I might be recalling it wrong.

#2 @johnbillion
6 years ago

  • Cc johnbillion added

#3 @knutsp
6 years ago

  • Cc knut@… added

#5 @ethitter
5 years ago

  • Cc erick@… added

#6 @josephscott
5 years ago

  • Cc joseph@… added

#7 @betzster
5 years ago

  • Cc j@… added

#8 @nacin
5 years ago

  • Component changed from General to Security
  • Milestone changed from Awaiting Review to 3.7

#9 @nacin
5 years ago

  • Type changed from enhancement to task (blessed)

#10 @johnbillion
5 years ago

  • Milestone 3.7 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #10267.

Note: See TracTickets for help on using tickets.