[wp-trac] [WordPress Trac] #9207: redirect_to wp-admin Should Force SSL If FORCE_SSL_ADMIN is enabled

WordPress Trac noreply at wordpress.org
Thu Jun 5 14:50:15 UTC 2014 

#9207: redirect_to wp-admin Should Force SSL If FORCE_SSL_ADMIN is enabled
-----------------------------------------+----------------------
 Reporter:  g30rg3x                      |       Owner:  hakre
     Type:  defect (bug)                 |      Status:  closed
 Priority:  normal                       |   Milestone:
Component:  Security                     |     Version:  2.9
 Severity:  normal                       |  Resolution:  wontfix
 Keywords:  has-patch reporter-feedback  |     Focuses:
-----------------------------------------+----------------------
Changes (by nacin):

 * status:  accepted => closed
 * resolution:   => wontfix
 * milestone:  Future Release =>


Comment:

 In trunk, here's what happens:

  * Go to http://wordpress/wp-admin/
  * auth_redirect() sends you to https://wordpress/wp-admin/
  * auth_redirect() then authenticates you, redirects to https://wordpress
 /wp-login.php?redirect_to=https://wordpress/wp-admin/
  * Logging in takes you directly to https://wordpress/wp-admin/

 This is proper behavior. That said, it is still possible to go to
 https://wordpress/wp-login.php?redirect_to=http://wordpress/wp-admin/,
 which will indeed end up with the double-redirect being described.

 The reason is because $secure_cookie is set to `''` under a forced SSL
 situation, and only set to true when we're not forcing SSL but the user's
 preference is an SSL experience. (This user preference is largely a dead
 concept as of #10267.) The authentication functions then set
 $secure_cookie to true when `''` and under is_ssl(). Trusting `if (
 $secure_cookie )` rather than `if ( force_ssl_admin() )` thus triggers a
 double-redirect for forced SSL.

 This is actually by design, though. This happened in [8701] simply to
 ensure we are following the user's preference. Since this no longer
 (never?) can happen normally (as going to http wp-admin redirects to https
 wp-admin before redirecting to wp-login), there's nothing to fix here.
 Closing out.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/9207#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list