[wp-trac] Re: [WordPress Trac] #7001: Admin SSL Support

[WordPress Trac]

#7001: Admin SSL Support
---------------------+------------------------------------------------------
 Reporter:  ryan     |        Owner:  anonymous
     Type:  defect   |       Status:  new      
 Priority:  normal   |    Milestone:  2.6      
Component:  General  |      Version:           
 Severity:  normal   |   Resolution:           
 Keywords:           |  
---------------------+------------------------------------------------------
Comment (by ryan):

 Patch adds a new cookie and changes cookie delivery.  With this there are
 now three cookies:

  * wordpress - Auth cookie delivered for wp-admin for SSL and non-SSL
 sessions
  * wordpress_sec - Auth cookie delivered for wp-admin for SSL sessions
 only
  * wordpress_logged_in - Non-auth cookie delivered across the entire blog
 used to determine if a user is logged in.

 wordpress and wordpress_sec are delivered only for wp-admin.  These
 cookies will not be delivered for front page visits (at least on the
 browsers I tested).  This prevents front page XSS from fiddling with them.
 The wordpress_logged_in cookie is delivered for the front page but cannot
 be used to get into the admin.

 FORCE_SSL_LOGIN can be set to true to force all logins to happen over SSL.
 FORCE_SSL_ADMIN forces all logins and all admin sessions to be over SSL.

 FORCE_SSL_LOGIN is for when you want to secure logins so that passwords
 are not sent in the clear but still want to allow non-SSL admin sessions
 (since SSL can be so damn slow).  FORCE_SSL_ADMIN is for when you want to
 lock down logins and the admin so that both passwords and cookies are
 never sent in the clear.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7001#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software