#3095 closed defect (bug) (fixed)
Change password form to send via SSL?
Reported by: | finni3 | Owned by: | |
---|---|---|---|
Milestone: | 1.5 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Core | Keywords: | dev-feedback |
Cc: |
Description
jlamerto:
"WP 3.0.5
BP 1.2.7
I am new to WP and BP, so this my be a stupid question, but…
I have noticed that although define(‘FORCE_SSL_ADMIN’, true); in wp-config.php redirects logging in to https the form under BP settings sends the password in clear text unless the whole site is under SSL. Is there a way to change this?"
pgibbs: "I think BuddyPress needs a pass-through to check where we should be using SSL."
Change History (3)
Note: See
TracTickets for help on using
tickets.
In BP 1.2x, the form action uses $bp->loggedin_user->domain to output the URL.
$bp->loggedin_user->domain can be routed upstream to bp_core_get_user_domain().
bp_core_get_root_domain(), in turn, uses get_blog_option( $blog_id, 'home' ).
---
BP 1.3 (as of [3343]) fixes this as bp_core_get_root_domain() uses get_home_url(), which appropriately triggers the URL to use SSL if it is enabled:
http://codex.wordpress.org/Function_Reference/get_home_url
---
Another way around the problem is to leave form actions blank (if it's not a multipart form) so they refresh on the same page.
Need core dev feedback on this though.