[wp-trac] [WordPress Trac] #16869: Links from admin panel to site don't use HTTPS

WordPress Trac wp-trac at lists.automattic.com
Wed Mar 16 21:29:11 UTC 2011

#16869: Links from admin panel to site don't use HTTPS
 Reporter:  F30             |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  3.1
 Severity:  normal          |   Keywords:
 Since version 3.0, Wordpress automatically changes all links to an
 'https://' url if a request is made via SSL, even if the site address is
 set to an 'http://' url. This is important in dual-stack setups, when you
 want a site to be accessible via both HTTP and HTTPS.

 However, this (as far as I have figured out) doesn't work for links which
 point from somewhere in the administration panel somewhere in the site,
 the most visible of the being the 'Visit Site' link at the top. This means
 that if you as a site administrator use those links, you are suddenly
 making unencrypted requests without even noticing it very much.

 In a situation where you rely on SSL security, your cookie information is
 being exposed. Although the cookie submitted via HTTP is not valid for the
 admin panel, a possible attacker could take over your frontend session and
 e.g. post comments under your identity. It also creates some inconvenience
 as you have to log in again when changing back to the admin panel.

 Since it seems to be a common setup only to do administration via SSL (wp-
 config even has an 'FORCE_SSL_ADMIN' option), it might be hard to figure
 out if all site links can or should be changed to 'https', too.
 But the current behavior is at least annoying and in my opinion also not
 secure for users.

Ticket URL: <http://core.trac.wordpress.org/ticket/16869>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list