[wp-trac] [WordPress Trac] #9207: redirect_to wp-admin Should Force SSL If FORCE_SSL_ADMIN is enabled

WordPress Trac wp-trac at lists.automattic.com
Sat Feb 21 22:36:07 GMT 2009

#9207: redirect_to wp-admin Should Force SSL If FORCE_SSL_ADMIN is enabled
 Reporter:  g30rg3x       |       Owner:  anonymous  
     Type:  defect (bug)  |      Status:  new        
 Priority:  normal        |   Milestone:  2.8        
Component:  General       |     Version:             
 Severity:  normal        |    Keywords:  2nd-opinion
 Around Lines 406 to 426 on wp-login.php:

         $secure_cookie = '';

         // If the user wants ssl but the session is not ssl, force a
 secure cookie.
         if ( !empty($_POST['log']) && !force_ssl_admin() ) {
                 $user_name = sanitize_user($_POST['log']);
                 if ( $user = get_userdatabylogin($user_name) ) {
                         if ( get_user_option('use_ssl', $user->ID) ) {
                                 $secure_cookie = true;

         if ( isset( $_REQUEST['redirect_to'] ) ) {
                 $redirect_to = $_REQUEST['redirect_to'];
                 // Redirect to https if user wants ssl
                 if ( $secure_cookie && false !== strpos($redirect_to, 'wp-
 admin') )
                         $redirect_to = preg_replace('|^http://|',
 'https://', $redirect_to);
         } else {
                 $redirect_to = admin_url();

 As we can see on the present code, if a redirection is set while login and
 this redirection goes to the plain version of the dashboard then client
 will go to the non-SSL version of the dashboard which therefore will move
 the client to the secure version (generating and extra request).[[BR]]
 I know this is kinda a tongue twister sentence so i think is better to put
 a request example of the problem...

 Client: POST http://foo.bar/wp-login.php?redirect_to=http%3A%2F%2Ffoo.bar
 %2Fwp-admin%2Findex.php [[BR]]
 Server: HTTP 302 ... Location: http://foo.bar/wp-admin/index.php [[BR]]
 Client: GET http://foo.bar/wp-admin/index.php [[BR]]
 Server: HTTP 302 ... Location: https://foo.bar/wp-admin/index.php

 I know that wordpress is actually working as suppose to work (cause we
 told to move to non-SSL version of the dashboard) but and a extra http
 request is issued.[[BR]]
 IMHO if we (admins) have enabled FORCE_SSL_ADMIN, then all redirections to
 wp-admin should go SSL/HTTPs even if we fill redirect_to with the plain
 version of the dashboard.[[BR]]
 There is part of the code that detect this and replace it but it has
 issues or well it isn't prepared to do this.[[BR]]
 At the moment we can filter login_redirect to fix this but (again) IMHO
 this should move to the core...

Ticket URL: <http://core.trac.wordpress.org/ticket/9207>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list