diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php
index 7efa832afc..8a89ac8483 100644
--- a/wp-admin/includes/user.php
+++ b/wp-admin/includes/user.php
@@ -73,6 +73,10 @@ function edit_user( $user_id = 0 ) {
else
$user->rich_editing = 'false';
+ $user->use_ssl = 0;
+ if ( !empty($_POST['use_ssl']) )
+ $user->use_ssl = 1;
+
if ( !$update )
$user->admin_color = 'fresh'; // Default to fresh for new users.
else if ( isset( $_POST['admin_color'] ) )
diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
index 692e0310d2..e11d420a1b 100644
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@@ -99,13 +99,24 @@ $wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashe
$user_id = (int) $user_id;
-if ( !$user_id )
+if ( !$user_id ) {
if ( $is_profile_page ) {
$current_user = wp_get_current_user();
$user_id = $current_user->ID;
} else {
wp_die(__('Invalid user ID.'));
}
+}
+
+// Optional SSL preference that can be turned on by hooking to the 'personal_options' action
+function use_ssl_preference($user) {
+?>
+
+ |
+ |
+
+
@@ -209,12 +220,14 @@ foreach ( $_wp_admin_css_colors as $color => $color_info ): ?>
-
+
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index eb8f47799a..a74b3c281d 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -703,8 +703,20 @@ function auth_redirect() {
}
}
- if ( wp_validate_auth_cookie() )
+ if ( $user_id = wp_validate_auth_cookie() ) {
+ // If the user wants ssl but the session is not ssl, redirect.
+ if ( !$secure && get_user_option('use_ssl', $user_id) ) {
+ if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
+ wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
+ exit();
+ } else {
+ wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+ exit();
+ }
+ }
+
return; // The cookie is good so we're done
+ }
// The cookie is no good so force login
nocache_headers();
diff --git a/wp-includes/registration.php b/wp-includes/registration.php
index 8e822834dd..efd34c3cfa 100644
--- a/wp-includes/registration.php
+++ b/wp-includes/registration.php
@@ -158,6 +158,9 @@ function wp_insert_user($userdata) {
$admin_color = 'fresh';
$admin_color = preg_replace('|[^a-z0-9 _.\-@]|i', '', $admin_color);
+ if ( empty($use_ssl) )
+ $use_ssl = 0;
+
if ( empty($user_registered) )
$user_registered = gmdate('Y-m-d H:i:s');
@@ -181,6 +184,7 @@ function wp_insert_user($userdata) {
update_usermeta( $user_id, 'yim', $yim );
update_usermeta( $user_id, 'rich_editing', $rich_editing);
update_usermeta( $user_id, 'admin_color', $admin_color);
+ update_usermeta( $user_id, 'use_ssl', $use_ssl);
if ( $update && isset($role) ) {
$user = new WP_User($user_id);
diff --git a/wp-login.php b/wp-login.php
index b34968de4b..b93eafb504 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -407,15 +407,30 @@ break;
case 'login' :
default:
- if ( isset( $_REQUEST['redirect_to'] ) )
- $redirect_to = $_REQUEST['redirect_to'];
- else
- $redirect_to = admin_url();
+ $secure_cookie = '';
- if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
+ // If the user wants ssl but the session is not ssl, force a secure cookie.
+ if ( !empty($_POST['log']) && !force_ssl_admin() ) {
+ $user_name = sanitize_user($_POST['log']);
+ if ( $user = get_userdatabylogin($user_name) ) {
+ if ( get_user_option('use_ssl', $user->ID) ) {
+ $secure_cookie = true;
+ force_ssl_admin(true);
+ }
+ }
+ }
+
+ if ( isset( $_REQUEST['redirect_to'] ) ) {
+ $redirect_to = $_REQUEST['redirect_to'];
+ // Redirect to https if user wants ssl
+ if ( $secure_cookie )
+ $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to);
+ } else {
+ $redirect_to = admin_url();
+ }
+
+ if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
$secure_cookie = false;
- else
- $secure_cookie = '';
$user = wp_signon('', $secure_cookie);