If I’m not mistaken, I recall being able to use FORCE_SSL_LOGIN to secure just the WP login process and not the entire admin session, which is the purpose of FORCE_SSL_ADMIN. Some browsers would keep HTTPS in the URL after login, but switching to HTTP would not redirect back to HTTPS.
I have WP 4.0 and 4.1 installations, and I’m using the FORCE_SSL_LOGIN define in my wp-config.php, but any attempt to use HTTP during an admin session is redirected back to HTTPS.
I haven’t looked at the source code for this process prior to experiencing this issue, but to me it seems FORCE_SSL_LOGIN and FORCE_SSL_ADMIN will result in the same experience, HTTPS for the entire admin session.
Looking at wp_ssl_constants() in wp-includes/default-constants.php, I see force_ssl_admin(true) is called, if FORCE_SSL_LOGIN is defined and true. Also, wp-admin/admin.php calls auth_redirect() (see wp-includes\pluggable.php) and auth_redirect() uses force_ssl_admin() and seems to redirect to HTTPS if FORCE_SSL_LOGIN is true and the current request is using HTTP and the request URL contains “wp-admin”.
Has anyone else experienced this behavior? Am I understanding the code correctly?
1 Answer
FORCE_SSL_LOGIN is marked as deprecated since 4.0 in source (you might have jumped over that bit). So it does now force all of admin to SSL and past behavior for it seems to no longer be available.
