The MU forums have moved to WordPress.org

SSL for Login Form (4 posts)

  1. skooba
    Member
    Posted 14 years ago #

    Goal: Use HTTPS / SSL for the Login Form only.

    What I tried:
    - read and followed several posts about this topic.
    - tried any combination of define('FORCE_SSL_LOGIN', true); and define('FORCE_SSL_ADMIN', true);

    What I found out:
    - define('FORCE_SSL_LOGIN', true); does not redirect to https://.. in the html source code however the "form action" points to https://<login-url&gt;
    - in my opinion this will not encrypt the username / password

    By looking deeper at the code I found the following function in wp-login.php:

    // Redirect to https login if forced to use SSL
    if ( force_ssl_admin() && !is_ssl() ) {
    	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
    		wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
    		exit();
    	} else {
    		wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    		exit();
    	}
    }

    In my understanding the redirect to https only happens if FORCE_SSL_ADMIN is set (first if statement). This works on my Server, but then the whole admin area uses SSL.

    Questions
    - Might this be a bug in the wp-login.php code? (if i changed the check in the if statement to force_ssl_login() I'll get redirected to the SSL Login Page with only FORCE_SSL_LOGIN turned on. hmmm.. ok this was obvious now ;-) )
    - Any other ideas?

    Securing the login form is very important to our setup, since we're using a corporate direcotry for user authentication via wpmu-ldap. (works great!)

    Thank you very much!
    -eric.

  2. Trent
    Member
    Posted 14 years ago #

    You might want to look at how this plugin does it since it works on the latest release of WPMU.

    http://wordpress.org/extend/plugins/admin-ssl-secure-admin/

    Trent

  3. skooba
    Member
    Posted 14 years ago #

    Hi Trent

    thank you very much for your hint! I tried the plugin and it works - if I add wp-admin to the urls to ignore, the backend is not using SSL.
    I think this plugin is a very good and flexible solution to protecting a wpmu site with SSL.

    However - I would really rather use the "built-in" functionality, since I only need to encrypt the login form. (I always try to use as less plugins as possible.)

    Is there anyone who can analyze and comment the code from above?
    (wp-login.php - Line 14)

    Thank you in advance,
    eric.

  4. jte
    Member
    Posted 14 years ago #

    This thread is a bit old, but I believe that the original issue raised here still stands.

    We've had some problems with the ssl plugin, and FORCE_SSL_ADMIN is causing some issues when uploading files from the new post screen, so having encryption on only the login page was something we were looking into. With FORCE_SSL_LOGIN set, we were not being redirected to https for the login page. I modified this line in wp-login.php:

    if ( force_ssl_admin() && !is_ssl() ) {

    to:

    if ( ( force_ssl_login() || force_ssl_admin() ) && !is_ssl() ) {

    ...and things seem to be working properly now. Is there a bug with FORCE_SSL_LOGIN here?

About this Topic