diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index c621918af..2dd55e56d 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -228,13 +228,17 @@ function wp_logout_url($redirect = '') { * @uses apply_filters() calls 'login_url' hook on final login url * * @param string $redirect Path to redirect to on login. + * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. Default is false. + * @return string A log in url */ -function wp_login_url($redirect = '') { +function wp_login_url($redirect = '', $force_reauth = false) { $login_url = site_url('wp-login.php', 'login'); - if ( !empty($redirect) ) { + if ( !empty($redirect) ) $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url); - } + + if ( $force_reauth ) + $login_url = add_query_arg('reauth', '1', $login_url); return apply_filters('login_url', $login_url, $redirect); } diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index ec10d0274..8c8d688c1 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -799,7 +799,7 @@ function auth_redirect() { $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; - $login_url = wp_login_url($redirect); + $login_url = wp_login_url($redirect, true); wp_redirect($login_url); exit(); diff --git a/wp-login.php b/wp-login.php index 2d1e02ab6..b6b11a429 100644 --- a/wp-login.php +++ b/wp-login.php @@ -520,6 +520,8 @@ default: $redirect_to = admin_url(); } + $reauth = empty($_REQUEST['reauth']) ? false : true; + // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting // the admin via http or https. @@ -530,7 +532,7 @@ default: $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user); - if ( !is_wp_error($user) ) { + if ( !is_wp_error($user) && !$reauth ) { if ( $interim_login ) { $message = '

' . __('You have logged in successfully.') . '

'; login_header( '', $message ); ?> @@ -549,7 +551,7 @@ default: $errors = $user; // Clear errors if loggedout is set. - if ( !empty($_GET['loggedout']) ) + if ( !empty($_GET['loggedout']) || $reauth ) $errors = new WP_Error(); // If cookies are disabled we can't log in even with a valid user+pass @@ -570,6 +572,10 @@ default: elseif ( $interim_login ) $errors->add('expired', __('Your session has expired. Please log-in again.'), 'message'); + // Clear any stale cookies. + if ( $reauth ) + wp_clear_auth_cookie(); + login_header(__('Log In'), '', $errors); if ( isset($_POST['log']) )