[wp-trac] [WordPress Trac] #16822: FORCE_SSL_LOGIN causes wp-login.php to have an incorrect https link

WordPress Trac noreply at wordpress.org
Mon Jul 29 00:28:07 UTC 2013

#16822: FORCE_SSL_LOGIN causes wp-login.php to have an incorrect https link
 Reporter:  dbvista       |       Owner:  jakub.tyrcha
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  3.1
 Severity:  normal        |  Resolution:
 Keywords:                |

Comment (by willnorris):

 Replying to [comment:6 nacin]:
 > I don't know if there's a good solution for this.
 > There's no easy way to know whether the frontend is forced to SSL. So we
 don't actually know how we should be displaying links to the homepage.
 This occurs in the admin too, I imagine? The Visit Site link, for example.

 Well, sure there is (sort of).  `get_home_url` currently has:

     if ( is_ssl() && ! is_admin() )
       $scheme = 'https';
       $scheme = parse_url( $url, PHP_URL_SCHEME );

 The idea here being, if you're currently browsing with SSL, then we assume
 you want to continue doing so.  The exception being if you're currently
 browsing wp-admin, in which case we don't make that assumption, since
 sites with `FORCE_SSL_ADMIN` will likely have secure admin pages, but not
 the frontend site.  In that case, we just don't touch the scheme and use
 whatever we got back from `get_option('home')`.

 We simply need to extend that logic to cover `wp-login.php` as well.
 There is no equivalent `is_login_page()` function to know if code is
 running on the login page, so that would need to be added.

Ticket URL: <http://core.trac.wordpress.org/ticket/16822#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list