I’m working on a site that requires an https secured admin area and a secure front-end area as well where private information will be shown. My preference for user login is an Ajax-enabled widget that can be shown on every page of the site, but I’m not able to make it work when passing submitted form data from the non-secured pages to the login page.
I started by using the Login With Ajax plugin, which with a few modifications, plays well with SSL for the most part, and it works fine when logging in from a page that’s being accessed by https… and it also works fine when FORCE_SSL_ADMIN is turned off. But when trying to log in from the widget on a non-secured page with FORCE_SSL_ADMIN on, I can’t get an response from the server.
Are there any existing plugins which solve this problem? And if not, anyone have any solutions? Maybe a secured form embedded in an iframe is my best idea so far… just thinking that there must be an easier way.
*Edit: Offering Bounty*
I’m adding a bounty to this question because I’m still curious. I worked around this in my project by just giving up on the widget and displaying a link to the wp-login page. But being able to embed a secure login form on a non secure page would be a much better solution. I’ll award the bounty to anyone who can show code that would work to make that happen, or point me to a plugin that already does this.
There are ways of doing it; this way, for instance. My guess is that Login With Ajax isn’t using all of the techniques described in that article, and some browser security feature is blocking it. Try getting in touch with the developer and suggesting improvements, with a pointer to that article.
WordPress dieffrence for hhtp and https and when you call the AJAX with the default functions of WP than is a AJAX regsitration form possible. Maybe you see the plugin form from this tutorial: http://www.wpajax.com/code/
I think this is the solution for you.
I’ve had a similar problem, and it turned out all depended on how the function
wp_signon( $credentials, $secure_cookie )was called.I want everything on my site to be https after signing on, so a non-secure cookie is of nu use.
In my code from before ssl was: wp_signon( $credentials, false )
so I changed:
to
Which creates a secure cookie and now everything’s fine.
I can imagine that plugin developers try to rely on
FORCE_SSL_ADMINto set the secure cookie, try usingwp_signon( $credentials, false )in your case.I hope it solves the problem.
Haven’t looked at the plugin, but my guess is it’s hard-coding the login URL without https in the Ajax request. The wp login form works fine in its non https version along with a form action that is set to use https, so I really can’t see why Ajax wouldn’t work.
If changing the plugin is not an option, you could try these approaches:
One would be some jquery goodness on the wp_footer hook. Search for the login form’s ID and change it’s URL, eg:
$(ID).attr('action', newValue);(I’m not 100 it’ll work, though, as I vaguely recall jquery coughing on form tags when changing a form’s method or action.)
A second approach, if the URL appears in the login form’s HTML but not in its Ajax call, would be to start an output buffer on
wp_head, andstr_replace()the URL.A third approach, if the actual url appears in the js script as a parameter, is to override it’s value in wp_footer, as is done in the auto-thickbox plugin for the image urls used in wp.
A last option, if the script is messy spaghetti code with the login URL hard-coded within function calls, is to dequeue it using
wp_dequeue_script(), and enqueue your own version to replace it. Mind priorities if you do this: yourwp_print_scriptsaction should, obviously, occur after that of the plugin.I had a similar problem with an AJAX plugin.
After a suggestion on https://stackoverflow.com/questions/6301076/wordpress-single-page-ssl , added this to the wp-config.php file:
Then, I forced the specific page (with the AJAX thing) to be https:// only (there are plugins for that).