The MU forums have moved to WordPress.org

login on https impossible (3 posts)

  1. kiusap
    Member
    Posted 17 years ago #

    I have a WPmu installation on https. wp-login.php just posts the login & password to:

    <form name="loginform" id="loginform" action="http://<?php echo $current_blog->domain . $current_blog->path ?>wp-login.php" method="post">

    And I had to tell him action="httpS://...". A simple patch would be adding a 'protocol' field into $current_blog

  2. drmike
    Member
    Posted 17 years ago #

    Not a bug. WPMu is setup to only work with http:// You may want to do a search as it's been discussed in the past.

  3. xiand0
    Blocked
    Posted 17 years ago #

    Actually, you need to "patch" quite a few more files, like

    function get_option($setting) in trunk/wp-includes where you'd possibly want to add

    if($_SERVER['HTTPS']=='on'){$value = str_replace('http', 'https', $value);}

    kiusap, know that login into a service over https makes absolutely no difference.

    I tried out changing quite a few files to get https support to WPMU, but I don't use those changes anymore simply because it's way to hard to ensure that session data is never transferred over non-https when a logged in user is browsing around a site.

    See, if I'm the adversary then it makes no difference when I steal your session, if I do it when you login or when you browse around a site logged in or whatever makes very little difference. So you have to be sure that _everything_ is https after the point of login. Which I found a bit hard. But I'd love to have https support as http is so insecure it's redicilous.

About this Topic