Opened 11 years ago
Closed 9 years ago
#25921 closed defect (bug) (worksforme)
User has to log in twice if redirect_to URL has other scheme than login URL
Reported by: | thomaswm | Owned by: | jbkkd |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.7.1 |
Component: | Users | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
I'm using WordPress Multisite version 3.7.1. Suppose you open the login page of one of the blogs via the following URL.
https://example.com/wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1
After logging in, you will be redirected to the URL specified by the redirect_to
URL parameter. But then you are redirected to another (non-HTTPS) login page where you're asked to login again.
http://example.com/wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1
I think in this case WordPress should either redirect the user to the non-HTTPS login page right away or change the scheme of the redirect_to
URL to HTTPS.
Attachments (2)
Change History (12)
#1
@
11 years ago
- Component changed from General to Users
- Keywords needs-patch good-first-bug added
- Milestone changed from Awaiting Review to Future Release
#2
@
11 years ago
- Keywords dev-feedback 2nd-opinion added
Can reconfirm this is easily reproducible, even without multisite.
Should the fix just replace http/s if the urls don't match? Otherwise, the fix would involve mixing http/s cookies.
@
11 years ago
Actually, correct solution would probably be this - make the cookie insecure, regardless of the state of forced ssl login. If we're in HTTPS but redirecting to HTTP, it doesn't matter if secure login is needed or not.
#4
@
11 years ago
- Keywords dev-feedback reporter-feedback removed
- Owner set to jbkkd
- Status changed from new to assigned
Thanks for this, jbkkd. I'll get someone else to review this as well.
When forced SSL login is set but forced SSL admin is not, we differentiate between what the user wants with the following:
- If the user initially visited wp-login.php over SSL, then issue a secure cookie and send them to wp-admin over SSL.
- If the user initially visited wp-admin.php over non-SSL, then issue a non-secure cookie and send them to wp-admin over non-SSL.
We've considered ditching the concept of forced SSL logins, making it all-or-nothing for wp-admin and wp-login.php. This is mainly to avoid attacks. See #10267.
I've studied this bug report a bit more and I want to say that there should be some other way to fix this without changing the secure-state of the cookie. "Should the fix just replace http/s if the urls don't match? Otherwise, the fix would involve mixing http/s cookies." might hold the key.
Also a note, attachments don't trigger notifications, so it's helpful to post your thoughts in a comment. Thanks!
This ticket was mentioned in Slack in #core by jorbin. View the logs.
10 years ago
#6
@
10 years ago
After #10267 was fixed, we need to check to see if this is still an issue. Can someone with an SSL cert in there dev environment please check this.
#7
@
9 years ago
- Keywords needs-testing added; good-first-bug removed
This is still possible to reproduce, but only by manually navigating to the login page over HTTPS with an HTTP redirect URL and when FORCE_SSL_ADMIN
is not set to true.
This drives me bonkers. Needs someone to track it down for sure.