FORCE_SSL_LOGIN

pavelxk
(@pavelxk)

10 years, 11 months ago
I would like to present my opinion, that the current implementation of FORCE_SSL_LOGIN configuration directive has needlesly crippled security.

The problem was mentioned, but not properly solved in these older discussions:
http://wordpress.org/support/topic/force_ssl_login-not-working-in-27
http://wordpress.org/support/topic/https-and-force_ssl_login-troubles
http://wordpress.org/support/topic/multisite-ssl-wildcard-and-forced-login

The security of SSL has 2 parts:
1. encryption of private data – this part, but only this part is achieved by current behavior
2. identity verification of remote host – this is equally important part as it is used for key exchange for the data encryption. This is continually addressed in browser development for the past 5 years and this is also the reason for obtaining commercial SSL certificates. Its no use to encrypt data, if you don’t know:
1. your private data is going to be encrypted and
2. you don’t know with whom you are exchanging the encryption keys
For the SSL security to work properly, the user must have a way of confirming identity of the remote server and this is only achieved if the login form itself is also delivered via SSL secured connection, which the browser can properly indicate to the user. This is also how the vast majority of web sites are using it.

Workaround
On SSL enabled sites add the following code to wp-login.php right after opening php tag:
```
if($_SERVER["HTTPS"] != "on") {
   header("HTTP/1.1 301 Moved Permanently");
   header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
   exit();
}
```

The topic ‘FORCE_SSL_LOGIN’ is closed to new replies.

FORCE_SSL_LOGIN

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics