Recent change has broken remote logins that redirect to non-SSL pages
-
Hi,
A recent code change at wordpress.com has broken remote logins that redirect to non-SSL pages. For example, our app remotely logs users into their accounts via the HTTPS page, and redirects to their Stats page (which is HTTP). The URL is in the following format:
http://wordpress.com/#!/my-stats/?unit=1&blog=BLOG_ID&no-chromeHowever, in the last couple of days, your code changes mean that the user gets redirected to the wordpress.com homepage instead.
From a browser, if a user is logged in but then tries to access the above-mentioned URL format manually, they are redirected to the HTTPS equivalent. Therefore, since this is a breaking change, and since there is no security risk by redirecting to a non-SSL page once logged in via HTTPS, could this please be resolved ASAP? This currently affects thousands of our users (ours and yours!), and it will take at least a couple of weeks before we can provide a fix as we are already trying to finish off a large release.
Even if your redirect process detects that the page to be redirected to is HTTP rather than HTTPS, and corrects the URL accordingly (rather than redirect to the homepage) this would be considerably better than the current implementation which breaks this functionality for all our users.
-
Hi,
Any progress on this? We’re inundated by our users contacting us about this issue. With thousands of users, this could soon become a big problem for us both!
-
-
Hey Dino,
Unfortunately it’s not an easy fix and there are serious security concerns over patching it up. The answer has to be that you’ll have to update the BlogPadPro app to use the new URL directly. This was a breaking change for the official WordPress apps as well and they will be updated to use the new URL shortly as well.
Sorry about the inconvenience and I hope you can get your update out quickly.
-
A bit more information in the pull request for the app fix: https://github.com/wordpress-mobile/WordPress-iOS/pull/1816
-
Hi Isaac,
I really don’t see why it’s a security concern, because we are using a secure way to log in to the Dashboard. It doesn’t matter if the page you then redirect to is a non-SSL page – depending on how you do it of course!
It’s disappointing that we have to find out about this only when it has broken. Also, it’s not ideal that we *appear* to have let down our users, even though it is not us that made the breaking change.
-
Hey Dino,
I understand your frustration. We ran into the same issue with the WordPress iOS app, as Isaac linked to in his previous post.
We are now forcing SSL on all traffic to WordPress.com. Wherever possible, we’re redirecting non-SSL requests to the appropriate SSL pages. Unfortunately, both your application, and the WordPress iOS application were using older non-secure stats URLs that utilized URL fragments (also known as URL hash). Because the fragment portion of the URL never gets sent to the server with the request, we are sadly unable to redirect to the correct page.
In other words, when you make a request to
http://wordpress.com/#!/my-stats/?unit=1&blog=BLOG_ID&no-chromeour server only sees a request tohttp://wordpress.com/and we then redirect you tohttps://wordpress.com/A request to
http://wordpress.com/my-stats/?unit=1&blog=BLOG_ID&no-chromewould properly redirect tohttps://wordpress.com/my-stats/?unit=1&blog=BLOG_ID&no-chromeNote: some browsers (such as desktop Chrome), are smart enough to maintain the fragment despite the redirect. Unfortunately, Safari (both desktop and mobile), is not.
Again, I’m very sorry about any issues this has caused. Please let me know if you have any other questions.
- The topic ‘Recent change has broken remote logins that redirect to non-SSL pages’ is closed to new replies.
WordPress.com Forums 