[wp-trac] [WordPress Trac] #22283: Load login page over HTTPS if FORCE_SSL_LOGIN is set
WordPress Trac
noreply at wordpress.org
Fri Oct 26 03:08:53 UTC 2012
#22283: Load login page over HTTPS if FORCE_SSL_LOGIN is set
-----------------------------+-------------------------
Reporter: barry | Type: enhancement
Status: new | Priority: normal
Milestone: Awaiting Review | Component: General
Version: | Severity: normal
Keywords: |
-----------------------------+-------------------------
Currently, if FORCE_SSL_LOGIN is set, we will make the HTTP POST request
containing the username and password over SSL when logging in, but not the
GET request for the login page. Users shouldn't have to examine HTML to
figure out if their password is being sent in plain text. To ensure user
confidence that they are logging in via an encrypted connection, we should
redirect requests for the login page to https:// if FORCE_SSL_LOGIN, not
only if FORCE_SSL_ADMIN is set. Troy Hunt explains the issue well in his
post here - http://www.troyhunt.com/2011/01/ssl-is-not-about-
encryption.html
While FORCE_SSL_ADMIN is obviously "best" it is not always possible or
practical, but this at least makes the login experience consistent.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22283>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list