If I’m not mistaken, I recall being able to use FORCE_SSL_LOGIN to secure just the WP login process and not the entire admin session, which is the purpose of FORCE_SSL_ADMIN. Some browsers would keep HTTPS in the URL after login, but switching to HTTP would not redirect back to HTTPS.
I have WP 4.0 and 4.1 installations, and I’m using the FORCE_SSL_LOGIN define in my wp-config.php, but any attempt to use HTTP during an admin session is redirected back to HTTPS.
I haven’t looked at the source code for this process prior to experiencing this issue, but to me it seems FORCE_SSL_LOGIN and FORCE_SSL_ADMIN will result in the same experience, HTTPS for the entire admin session.
Looking at wp_ssl_constants() in wp-includes/default-constants.php, I see force_ssl_admin(true) is called, if FORCE_SSL_LOGIN is defined and true. Also, wp-admin/admin.php calls auth_redirect() (see wp-includes\pluggable.php) and auth_redirect() uses force_ssl_admin() and seems to redirect to HTTPS if FORCE_SSL_LOGIN is true and the current request is using HTTP and the request URL contains “wp-admin”.
Has anyone else experienced this behavior? Am I understanding the code correctly?