[wp-trac] [WordPress Trac] #25921: User has to log in twice if redirect_to URL has other scheme than login URL
WordPress Trac
noreply at wordpress.org
Thu Feb 6 21:32:47 UTC 2014
#25921: User has to log in twice if redirect_to URL has other scheme than login URL
--------------------------------------+-----------------------------
Reporter: thomaswm | Owner: jbkkd
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Future Release
Component: Users | Version: 3.7.1
Severity: normal | Resolution:
Keywords: good-first-bug has-patch | Focuses:
--------------------------------------+-----------------------------
Changes (by nacin):
* keywords: good-first-bug dev-feedback has-patch reporter-feedback =>
good-first-bug has-patch
* owner: => jbkkd
* status: new => assigned
Comment:
Thanks for this, jbkkd. I'll get someone else to review this as well.
When forced SSL login is set but forced SSL admin is not, we differentiate
between what the user wants with the following:
* If the user initially visited wp-login.php over SSL, then issue a
secure cookie and send them to wp-admin over SSL.
* If the user initially visited wp-admin.php over non-SSL, then issue a
non-secure cookie and send them to wp-admin over non-SSL.
We've considered ditching the concept of forced SSL logins, making it all-
or-nothing for wp-admin and wp-login.php. This is mainly to avoid attacks.
See #10267.
I've studied this bug report a bit more and I want to say that there
should be some other way to fix this without changing the secure-state of
the cookie. "Should the fix just replace http/s if the urls don't match?
Otherwise, the fix would involve mixing http/s cookies." might hold the
key.
Also a note, attachments don't trigger notifications, so it's helpful to
post your thoughts in a comment. Thanks!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25921#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list