Make WordPress Core

Opened 12 years ago

Closed 11 years ago

#22283 closed task (blessed) (duplicate)

Load login page over HTTPS if FORCE_SSL_LOGIN is set

Reported by: barry's profile barry Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Currently, if FORCE_SSL_LOGIN is set, we will make the HTTP POST request containing the username and password over SSL when logging in, but not the GET request for the login page. Users shouldn't have to examine HTML to figure out if their password is being sent in plain text. To ensure user confidence that they are logging in via an encrypted connection, we should redirect requests for the login page to https:// if FORCE_SSL_LOGIN, not only if FORCE_SSL_ADMIN is set. Troy Hunt explains the issue well in his post here - http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html

While FORCE_SSL_ADMIN is obviously "best" it is not always possible or practical, but this at least makes the login experience consistent.

Attachments (1)

22283.diff (493 bytes) - added by barry 12 years ago.

Download all attachments as: .zip

Change History (11)

@barry
12 years ago

#1 @nacin
12 years ago

ryan and I have talked about this before. The problem, from what I recall, is that when SSL login is forced but not admin, we evaluate the user's original request — http or https — to decide which admin they get. But looking at the code, I'm not entirely sure that's the case. I might be recalling it wrong.

#2 @johnbillion
12 years ago

  • Cc johnbillion added

#3 @knutsp
12 years ago

  • Cc knut@… added

#5 @ethitter
11 years ago

  • Cc erick@… added

#6 @josephscott
11 years ago

  • Cc joseph@… added

#7 @betzster
11 years ago

  • Cc j@… added

#8 @nacin
11 years ago

  • Component changed from General to Security
  • Milestone changed from Awaiting Review to 3.7

#9 @nacin
11 years ago

  • Type changed from enhancement to task (blessed)

#10 @johnbillion
11 years ago

  • Milestone 3.7 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #10267.

Note: See TracTickets for help on using tickets.