Make WordPress Core

Opened 7 years ago

Last modified 3 years ago

#42833 new defect (bug)

WordPress forces non-ssl login in described circumstance even though FORCE_SSL_ADMIN is set in wp-config

Reported by: geomouchet's profile geomouchet Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.1
Component: Administration Keywords: needs-testing
Focuses: Cc:

Description (last modified by kirasong)

Wordpress provides an http login page in this circumstance:

  1. Put the following in wp-config.php: define('FORCE_SSL_ADMIN', true);
  2. Log into your WordPress site via wp-login.php with an admin login.
  3. Click Visit Site (home icon) at the top of the page.
  4. Open a new brower tab.
  5. Log into your Wordpress site in the new tab via wp-login.php.
  6. Go back to previous tab.
  7. Click on Edit Page.

It then displays the login box with http instead of https. (Ideally it would not require a new login at all, but instead would use the session from the new tab.)

Change History (3)

This ticket was mentioned in Slack in #core by peterwilsoncc. View the logs.


3 years ago

#2 @kirasong
3 years ago

  • Description modified (diff)
  • Keywords needs-testing added
  • Summary changed from Wordpress forces non-ssl login in described circumstance even though FORCE_SSL_ADMIN is set in wp-config to WordPress forces non-ssl login in described circumstance even though FORCE_SSL_ADMIN is set in wp-config

Hi @geomouchet!

Thanks so much for the report, and my apologies that it's been so long without a reply.

This ticket came up in a triage session today.

Unfortunately, no one present at that time had an environment set up to test to see if this is still an issue.

More fortunately, there have been a lot of HTTPS related improvements since the ticket was created, and there's a good chance that it has been resolved.

Would you mind testing to see if this is still an issue for you?

Thanks again!

#3 @bedas
3 years ago

Why is it hard to setup a local with SSL?
It is really a quick thing to do, unless maybe I miss something...

In any case, I cannot replicate this issue, and the issue description steps assume several unmentioned things, such as that for example the home of a website is an actual page, which it is not, by default.

Despite hidden steps, and even implementing the hidden steps, I couldn't replicate the issue, there is no new login box at all since we are ... well, logged in.
There is also no HTTPS issue, as long of course the local uses a proper SSL setup.

If we where to not have a SSL setup and force SSL then I would expect issues, but that would be expected.

If there is a need of using anonymous browsing etc, then this should be mentioned in the steps, but even so I couldn't spot any issue that wouldn't be expected.

Hope this helps.

Version 0, edited 3 years ago by bedas (next)
Note: See TracTickets for help on using tickets.