[wp-trac] [WordPress Trac] #10267: Login form SSL is confusing

Mon Jul 14 22:59:40 UTC 2014

#10267: Login form SSL is confusing
-------------------------------+-----------------------
 Reporter:  Denis-de-Bernardy  |       Owner:  ryan
     Type:  defect (bug)       |      Status:  reopened
 Priority:  normal             |   Milestone:  4.0
Component:  Security           |     Version:
 Severity:  normal             |  Resolution:
 Keywords:  needs-patch        |     Focuses:
-------------------------------+-----------------------
Changes (by iandunn):

 * status:  closed => reopened
 * resolution:  fixed =>

Comment:

 I ran into a problem after updating an MU installation to 4.0-beta1. I'm
 not sure how common the site's configuration is, or if it's even
 considered a supported use case, but I figured I'd mention it just to be
 safe.

 Configuration:
 * Main site does have an SSL certificate
 * Sub-sites do not have SSL certificates
 * `wp-config.php` enables `FORCE_SSL_LOGIN`
 * Logging in on the sub-sites is redirected to the main site
 [https://gist.github.com/iandunn/273d84c1c97959ba3359 via an mu-plugin ]

 r28609 causes two problems with this setup:
 1. `wp-login.php` redirects the user to the sub-site's HTTPS login URL,
 and their browser shows them a certificate error.
 1. The auth cookie scheme changes from `auth` to `secure_auth`, and the
 user gets stuck in a loop when they login.

 The step-by-step process looks like this:

 * User attempts to visit http://sub-site.example.org/wp-admin
 * User is redirected to https://sub-site.example.org/wp-admin, and their
 browser displays a warning because there isn't a valid certificate
 * If they proceed anyway, they're redirected to https://example.org/wp-
 login.php
 * User submits correct username/password, is given secure auth cookies and
 redirected to http://sub-site.example.org/wp-admin
 * Cookies aren't valid for http://sub-site.example.org/wp-admin because
 they're `secure_auth` instead of `auth`
 * User is redirected back to https://example.org/wp-login.php and is stuck
 in a loop

 If backwards compatibility isn't going to be maintained in this case, then
 the problems can be fixed on the site's end by making these adjustments:

 1. Redirecting to https://sub-site.example.org/wp-admin can be avoided by
 disabling `FORCE_SSL_LOGIN` on the sub-sites. This is really how it should
 have been configured all along, but before r28609 there wasn't any obvious
 consequence to setting it incorrectly.

 {{{
 #!php
 if ( 'example.org' == $_SERVER['HTTP_HOST'] ) {
         define( 'FORCE_SSL_LOGIN', true );
 } else {
         define( 'FORCE_SSL_LOGIN', false );
 }
 }}}

 2. The login redirection loop can be avoided by using the `auth` scheme
 when redirecting to a site without a certificate:

 {{{
 #!php
 if ( ! empty( $_REQUEST['redirect_to'] ) && 'http://' == substr(
 urldecode( $_REQUEST['redirect_to'] ), 0, 7 ) ) {
         add_filter( 'secure_signon_cookie',    '__return_false' );
         add_filter( 'secure_auth_cookie',      '__return_false' );
         add_filter( 'secure_logged_in_cookie', '__return_false' );
 }
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/10267#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform