Introduce logged_in cookie. Deliver auth cookies only to wp-admin. see #7001

git-svn-id: http://svn.automattic.com/wordpress/trunk@8069 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-06-11 17:25:55 +00:00 · 2008-06-11 17:25:55 +00:00 · 6adcab8b27
parent b666a1c910
commit 6adcab8b27
8 changed files with 188 additions and 62 deletions
--- a/wp-admin/admin-header.php
+++ b/wp-admin/admin-header.php
@ -111,7 +111,7 @@ if ( ($is_gecko || $is_winIE) && strpos(strtolower($_SERVER['HTTP_USER_AGENT']),

 <?php } ?>

-<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> | <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> | <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> | <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
+<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout', 'login') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> | <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> | <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> | <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>

 <?php
 require(ABSPATH . 'wp-admin/menu-header.php');
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -1768,4 +1768,29 @@ function validate_file( $file, $allowed_files = '' ) {
 function is_ssl() {
 	return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false; 
 }
+
+function force_ssl_login($force = '') {
+	static $forced;
+
+	if ( '' != $force ) {
+		$old_forcded = $forced;
+		$forced = $force;
+		return $old_forced;
+	}
+
+	return $forced;
+}
+
+function force_ssl_admin($force = '') {
+	static $forced;
+
+	if ( '' != $force ) {
+		$old_forcded = $forced;
+		$forced = $force;
+		return $old_forced;
+	}
+
+	return $forced;
+}
+
 ?>
--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@ -33,9 +33,9 @@ function get_sidebar( $name = null ) {

 function wp_loginout() {
 	if ( ! is_user_logged_in() )
-		$link = '<a href="' . site_url('wp-login.php', 'forceable') . '">' . __('Log in') . '</a>';
+		$link = '<a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a>';
 	else
-		$link = '<a href="' . site_url('wp-login.php?action=logout', 'forceable') . '">' . __('Log out') . '</a>';
+		$link = '<a href="' . site_url('wp-login.php?action=logout', 'login') . '">' . __('Log out') . '</a>';

 	echo apply_filters('loginout', $link);
 }
@ -45,7 +45,7 @@ function wp_register( $before = '<li>', $after = '</li>' ) {

 	if ( ! is_user_logged_in() ) {
 		if ( get_option('users_can_register') )
-			$link = $before . '<a href="' . site_url('wp-login.php?action=register', 'forceable') . '">' . __('Register') . '</a>' . $after;
+			$link = $before . '<a href="' . site_url('wp-login.php?action=register', 'login') . '">' . __('Register') . '</a>' . $after;
 		else
 			$link = '';
 	} else {
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@ -780,7 +780,9 @@ function get_shortcut_link() {
 function site_url($path = '', $scheme = null) {
 	// should the list of allowed schemes be maintained elsewhere?
 	if ( !in_array($scheme, array('http', 'https')) ) {
-		if ( ('forceable' == $scheme) && (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
+		if ( ('login' == $scheme) && ( force_ssl_login() || force_ssl_admin() ) )
+			$scheme = 'https';
+		elseif ( ('admin' == $scheme) && force_ssl_admin() )
 			$scheme = 'https';
 		else
 			$scheme = ( is_ssl() ? 'https' : 'http' );
@ -797,7 +799,7 @@ function site_url($path = '', $scheme = null) {
 function admin_url($path = '') {
 	global $_wp_admin_url;

-	$url = site_url('wp-admin/', 'forceable');
+	$url = site_url('wp-admin/', 'admin');

 	if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
 		$url .= ltrim($path, '/');
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@ -100,8 +100,10 @@ function get_currentuserinfo() {
 		return;

 	if ( ! $user = wp_validate_auth_cookie() ) {
-		wp_set_current_user(0);
-		return false;
+		 if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
+		 	wp_set_current_user(0);
+		 	return false;
+		 }
 	}

 	wp_set_current_user($user);
@ -465,14 +467,18 @@ if ( !function_exists('wp_validate_auth_cookie') ) :
 * @since 2.5
 *
 * @param string $cookie Optional. If used, will validate contents instead of cookie's
+ * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
 * @return bool|int False if invalid cookie, User ID if valid.
 */
-function wp_validate_auth_cookie($cookie = '') {
+function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
 	if ( empty($cookie) ) {
-		if ( is_ssl() )
+		if ( is_ssl() ) {
 			$cookie_name = SECURE_AUTH_COOKIE;
-		else
+			$scheme = 'secure_auth';
+		} else {
 			$cookie_name = AUTH_COOKIE;
+			$scheme = 'auth';
+		}

 		if ( empty($_COOKIE[$cookie_name]) )
 			return false;
@ -495,7 +501,7 @@ function wp_validate_auth_cookie($cookie = '') {
 	if ( $expired < time() )
 		return false;

-	$key = wp_hash($username . '|' . $expiration);
+	$key = wp_hash($username . '|' . $expiration, $scheme);
 	$hash = hash_hmac('md5', $username . '|' . $expiration, $key);

 	if ( $hmac != $hash )
@ -519,18 +525,18 @@ if ( !function_exists('wp_generate_auth_cookie') ) :
 *
 * @param int $user_id User ID
 * @param int $expiration Cookie expiration in seconds
- * @param bool $secure Whether the cookie is for https delivery only or not.  Not used by default.  For plugin use.
+ * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
 * @return string Authentication cookie contents
 */
-function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
+function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
 	$user = get_userdata($user_id);

-	$key = wp_hash($user->user_login . '|' . $expiration);
+	$key = wp_hash($user->user_login . '|' . $expiration, $scheme);
 	$hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);

 	$cookie = $user->user_login . '|' . $expiration . '|' . $hash;

-	return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
+	return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
 }
 endif;

@ -548,7 +554,7 @@ if ( !function_exists('wp_set_auth_cookie') ) :
 * @param int $user_id User ID
 * @param bool $remember Whether to remember the user or not
 */
-function wp_set_auth_cookie($user_id, $remember = false) {
+function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
 	if ( $remember ) {
 		$expiration = $expire = time() + 1209600;
 	} else {
@ -556,21 +562,27 @@ function wp_set_auth_cookie($user_id, $remember = false) {
 		$expire = 0;
 	}

-	if ( is_ssl() ) {
-		$secure = true;
-		$cookie_name = SECURE_AUTH_COOKIE;
+	if ( '' === $secure )
+		$secure = is_ssl() ? true : false;
+
+	if ( $secure ) {
+		$auth_cookie_name = SECURE_AUTH_COOKIE;
+		$scheme = 'secure_auth';
 	} else {
-		$secure = false;
-		$cookie_name = AUTH_COOKIE;
+		$auth_cookie_name = AUTH_COOKIE;
+		$scheme = 'auth';
 	}

-	$cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
+	$auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
+	$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');

-	do_action('set_auth_cookie', $cookie, $expire, $secure);
+	do_action('set_auth_cookie', $auth_cookie, $expire, $scheme);
+	do_action('set_auth_cookie', $logged_in_cookie, $expire, 'logged_in');

-	setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
+	setcookie($auth_cookie_name, $auth_cookie, $expire, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
+	setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
 	if ( COOKIEPATH != SITECOOKIEPATH )
-		setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
+		setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
 }
 endif;

@ -581,10 +593,12 @@ if ( !function_exists('wp_clear_auth_cookie') ) :
 * @since 2.5
 */
 function wp_clear_auth_cookie() {
-	setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
-	setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+	setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+	setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+	setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+	setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
+	setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+	setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);

 	// Old cookies
 	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
@ -621,15 +635,15 @@ if ( !function_exists('auth_redirect') ) :
 function auth_redirect() {
 	// Checks if a user is logged in, if not redirects them to the login page

-	if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
+	if ( is_ssl() || force_ssl_admin() )
 		$secure = true;
 	else
 		$secure = false;

 	// If https is required and request is http, redirect
 	if ( $secure && !is_ssl() ) {
-		if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
-			wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
+		if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
+			wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
 			exit();
 		} else {
 			wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
@ -643,7 +657,12 @@ function auth_redirect() {
 	// The cookie is no good so force login
 	nocache_headers();

-	$login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']), 'forceable' );
+	if ( is_ssl() )
+		$proto = 'https://';
+	else
+		$proto = 'http://';
+
+	$login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login' );

 	wp_redirect($login_url);
 	exit();
@ -971,7 +990,7 @@ function wp_new_user_notification($user_id, $plaintext_pass = '') {

 	$message  = sprintf(__('Username: %s'), $user_login) . "\r\n";
 	$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
-	$message .= site_url("wp-login.php", 'forceable') . "\r\n";
+	$message .= site_url("wp-login.php", 'login') . "\r\n";

 	wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);

@ -1078,23 +1097,56 @@ if ( !function_exists('wp_salt') ) :
 *
 * @return string Salt value from either 'SECRET_KEY' or 'secret' option
 */
-function wp_salt() {
+function wp_salt($scheme = 'auth') {
 	global $wp_default_secret_key;
 	$secret_key = '';
 	if ( defined('SECRET_KEY') && ('' != SECRET_KEY) && ( $wp_default_secret_key != SECRET_KEY) )
 		$secret_key = SECRET_KEY;

-	if ( defined('SECRET_SALT') ) {
-		$salt = SECRET_SALT;
-	} else {
-		$salt = get_option('secret');
-		if ( empty($salt) ) {
-			$salt = wp_generate_password();
-			update_option('secret', $salt);
+	if ( 'auth' == $scheme ) {
+		if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
+			$secret_key = AUTH_KEY;
+
+		if ( defined('AUTH_SALT') ) {
+			$salt = AUTH_SALT;
+		} elseif ( defined('SECRET_SALT') ) {
+			$salt = SECRET_SALT;
+		} else {
+			$salt = get_option('auth_salt');
+			if ( empty($salt) ) {
+				$salt = wp_generate_password();
+				update_option('auth_salt', $salt);
+			}
+		}
+	} elseif ( 'secure_auth' == $scheme ) {
+		if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
+			$secret_key = SECURE_AUTH_KEY;
+
+		if ( defined('SECURE_AUTH_SALT') ) {
+			$salt = SECRET_AUTH_SALT;
+		} else {
+			$salt = get_option('secure_auth_salt');
+			if ( empty($salt) ) {
+				$salt = wp_generate_password();
+				update_option('secure_auth_salt', $salt);
+			}
+		}
+	} elseif ( 'logged_in' == $scheme ) {
+		if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
+			$secret_key = LOGGED_IN_KEY;
+
+		if ( defined('LOGGED_IN_SALT') ) {
+			$salt = LOGGED_IN_SALT;
+		} else {
+			$salt = get_option('logged_in_salt');
+			if ( empty($salt) ) {
+				$salt = wp_generate_password();
+				update_option('logged_in_salt', $salt);
+			}
 		}
 	}

-	return apply_filters('salt', $secret_key . $salt);
+	return apply_filters('salt', $secret_key . $salt, $scheme);
 }
 endif;

@ -1108,8 +1160,8 @@ if ( !function_exists('wp_hash') ) :
 * @param string $data Plain text to hash
 * @return string Hash of $data
 */
-function wp_hash($data) {
-	$salt = wp_salt();
+function wp_hash($data, $scheme = 'auth') {
+	$salt = wp_salt($scheme);

 	return hash_hmac('md5', $data, $salt);
 }
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@ -1,6 +1,6 @@
 <?php

-function wp_signon( $credentials = '' ) {
+function wp_signon( $credentials = '', $secure_cookie = '' ) {
 	if ( empty($credentials) ) {
 		if ( ! empty($_POST['log']) )
 			$credentials['user_login'] = $_POST['log'];
@ -21,13 +21,21 @@ function wp_signon( $credentials = '' ) {

 	do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));

+	if ( '' === $secure_cookie )
+		$secure_cookie = is_ssl() ? true : false;
+	
 	// If no credential info provided, check cookie.
 	if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
 			$user = wp_validate_auth_cookie();
 			if ( $user )
 				return new WP_User($user);

-			if ( !empty($_COOKIE[AUTH_COOKIE]) )
+			if ( $secure_cookie )
+				$auth_cookie = SECURE_AUTH_COOKIE;
+			else
+				$auth_cookie = AUTH_COOKIE;
+
+			if ( !empty($_COOKIE[$auth_cookie]) )
 				return new WP_Error('expired_session', __('Please log in again.'));

 			// If the cookie is not set, be silent.
@ -48,7 +56,7 @@ function wp_signon( $credentials = '' ) {
 	if ( is_wp_error($user) )
 		return $user;

-	wp_set_auth_cookie($user->ID, $credentials['remember']);
+	wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
 	do_action('wp_login', $credentials['user_login']);
 	return $user;
 }
--- a/wp-login.php
+++ b/wp-login.php
@ -11,6 +11,17 @@
 /** Make sure that the WordPress bootstrap has ran before continuing. */
 require( dirname(__FILE__) . '/wp-load.php' );

+// Redirect to https login if forced to use SSL
+if ( (force_ssl_admin() || force_ssl_login()) && !is_ssl() ) {
+	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
+		wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
+		exit();
+	} else {
+		wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+		exit();			
+	}
+}
+
 /**
 * login_header() - Outputs the header for the login page
 *
@ -137,7 +148,7 @@ function retrieve_password() {
 	$message .= get_option('siteurl') . "\r\n\r\n";
 	$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
 	$message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
-	$message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n";
+	$message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";

 	if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
 		die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
@ -174,7 +185,7 @@ function reset_password($key) {
 	wp_set_password($new_pass, $user->ID);
 	$message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
 	$message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
-	$message .= site_url('wp-login.php') . "\r\n";
+	$message .= site_url('wp-login.php', 'login') . "\r\n";

 	if (  !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
 		die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
@ -312,10 +323,10 @@ case 'retrievepassword' :

 <p id="nav">
 <?php if (get_option('users_can_register')) : ?>
-<a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a> |
-<a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a>
+<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> |
+<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a>
 <?php else : ?>
-<a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a>
+<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a>
 <?php endif; ?>
 </p>

@ -380,8 +391,8 @@ case 'register' :
 </form>

 <p id="nav">
-<a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a> |
-<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
+<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> |
+<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
 </p>

 </div>
@ -395,13 +406,18 @@ break;

 case 'login' :
 default:
-	$user = wp_signon();
-
 	if ( isset( $_REQUEST['redirect_to'] ) )
 		$redirect_to = $_REQUEST['redirect_to'];
 	else
 		$redirect_to = 'wp-admin/';

+	if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) )
+		$secure_cookie = false;
+	else
+		$secure_cookie = '';
+
+	$user = wp_signon('', $secure_cookie);
+
 	if ( !is_wp_error($user) ) {
 		// If the user can't edit posts, send them to their profile.
 		if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
@ -454,10 +470,10 @@ default:
 <p id="nav">
 <?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
 <?php elseif (get_option('users_can_register')) : ?>
-<a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a> |
-<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
+<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a> |
+<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
 <?php else : ?>
-<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
+<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
 <?php endif; ?>
 </p>

--- a/wp-settings.php
+++ b/wp-settings.php
@ -332,6 +332,13 @@ if ( !defined('AUTH_COOKIE') )
 if ( !defined('SECURE_AUTH_COOKIE') )
 	define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH);

+/**
+ * It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('LOGGED_IN_COOKIE') )
+	define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);
+
 /**
 * It is possible to define this in wp-config.php
 * @since 2.3.0
@ -359,7 +366,23 @@ if ( !defined('SITECOOKIEPATH') )
 */
 if ( !defined('COOKIE_DOMAIN') )
 	define('COOKIE_DOMAIN', false);
-	
+
+/**
+ * It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('FORCE_SSL_ADMIN') )
+	define('FORCE_SSL_ADMIN', false);
+force_ssl_admin(FORCE_SSL_ADMIN);
+
+/**
+ * It is possible to define this in wp-config.php
+ * @since 2.6
+ */
+if ( !defined('FORCE_SSL_LOGIN') )
+	define('FORCE_SSL_LOGIN', false);
+force_ssl_login(FORCE_SSL_LOGIN);
+
 /**
 * It is possible to define this in wp-config.php
 * @since 2.5.0