[wp-trac] [WordPress Trac] #19723: Setting only SSL_Login does not force SSL Login
WordPress Trac
wp-trac at lists.automattic.com
Tue Jan 3 22:51:35 UTC 2012
#19723: Setting only SSL_Login does not force SSL Login
--------------------------+------------------------------
Reporter: ccolotti | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.3
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+------------------------------
Changes (by kurtpayne):
* cc: kpayne@… (added)
* keywords: => has-patch
* component: General => Security
Comment:
I can reproduce this in multisite and single site on 3.3.1. Patch
[[attachment:19723.patch]] forces an SSL login if the `FORCE_SSL_LOGIN`
constant is set in wp-config.php regardless of `FORCE_SSL_ADMIN`.
One note: If `FORCE_SSL_ADMIN` is true, the URL returned from
`wp_login_url()` (e.g. the "Log in" link in the sidebar in twentyeleven)
will always be SSL, regardless of my patch. This seems like a minor
impact, but it should be noted that front-end users will login over SSL
even when `FORCE_SSL_LOGIN` is not set.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19723#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list