內容簡介
本外掛設計為與 SSL Subdomain for Multisite 一起運作。
該外掛依賴於必須安裝並啟用網絡的WPMU Domain Mapping,才能正常運作。
插件功能
如果您已經安裝並啟用了 SSL Subdomain for Multisite 外掛,您現在可以在 https://demo-site.mynetwork.com 上進行登錄和管理,而正常的網站訪問則在 http://demo-site.com 上進行。
這非常好。但是,一旦您登錄到 demo-site.mynetwork.com 進行管理工作,然後訪問主站,例如以 WordPress 登錄用戶身份發表評論,您就無法在主站上發表評論 — 您沒有在該站點上登錄!其他已登錄用戶的好處,例如管理條的顯示或缓存的避免,也無法獲得。如果重新登錄,您會登錄到 https://demo-site.mynetwork.com,但您仍然沒有在 http://demo-site.com 上登錄。
此外掛解決了此問題,通過啟用單一登錄(SSO),可以在自定義域名上的管理面板和主站上進行登錄。登錄時,該外掛將用戶彈回到主站來設置 cookie,然後再彈回到管理面板。
現在,您可以正常工作管理面板,而如果您從管理面板點擊“訪問網站”,則會跳轉到自定義域,此時您也已登錄,可以正常執行所有操作。單一登錄!
(愚蠢的)假設
您正在使用WPMU Domain Mapping為多站點網絡上的自定義域。
您已經為您的主域名(例如 www.mynetwork.com)以及萬用字符 *.mynetwork.com 配置了 SSL。您希望正常網站訪問發生在使用 HTTP 的自定義域上,而所有管理和登錄訪問都在 *.mynetwork.com 的子域上進行 HTTPS。
您已經開啟了 wp-config.php 中的 FORCE_SSL_LOGIN 設置。
您已經關閉了 wp-config.php 中的 FORCE_SSL_ADMIN 設置。我們會處理這個問題 — WordPress 的強制 SSL 管理員可能會使該外掛產生疑惑。
此外掛已經過測試,旨在與 SSL Subdomain for Multisite 一起使用。
已知問題
redirect_to 參數目前無法正常工作。此時,您將被發送到根管理員頁面,而非您嘗試訪問的特定頁面。這需要改進,因為它會影響用戶體驗。
這比僅啟用 FORCE_SSL_LOGIN 而不啟用 FORCE_SSL_ADMIN 提供了更好的安全保障,因為使用此外掛和 SSL Subdomain for Multisite 進行登錄和管理時均使用 HTTPS。
但是,此設置方式的性質意味著中間人攻擊者理論上可以以您的身份假扮登錄會話的持續時間。目前無法避免此理論攻擊方案,而不使用 SSL 全部服務(使任意自定義域支持成為不可能),或者阻止登錄。
外掛標籤
開發者團隊
原文外掛簡介
Designed to be run in concert with SSL Subdomain for Multisite.
This plugin depends upon WPMU Domain Mapping, which must be installed and network activated for this to work.
What this Plugin does
If you have the SSL Subdomain for Multisite plugin installed and network activated, you now have logins and admin happening on https://demo-site.mynetwork.com, while normal site access is on http://demo-site.com.
This works great. Except, once you log in to demo-site.mynetwork.com to do some admin work, then visit the main site, perhaps to post a comment as a logged in WordPress user, you are not logged in on the main site. This means that you can’t, for example, post that comment while logged in — you aren’t logged in there! Other logged-in niceties like the display of the admin bar, or the avoidance of caching, are not available. If you log in again, it logs you in to https://demo-site.mynetwork.com but still you remain not logged in on http://demo-site.com.
This plugin solves this problem by enabling a single sign on (SSO) for both the admin panel and the main site on the custom domain. Upon login, this plugin bounces the user across to the main site to set a cookie there, then bounces them back to the admin panel.
Now, you can work in the admin panel normally, and if you click ‘Visit Site’ from the Admin panel, you go over to the custom domain, where you are also logged in and can perform all actions as normal. Single Sign On!
(Foolish) Assumptions
You are using WPMU Domain Mapping for custom domains on your Multisite network.
You have SSL configured for your master domain (e.g. www.mynetwork.com), and for the wildcard *.mynetwork.com. You would like normal site access to happen over the custom domains with HTTP, and all admin and login access over the subdomains of *.mynetwork.com with HTTPS.
You have the FORCE_SSL_LOGIN setting in wp-config.php ON.
You have the FORCE_SSL_ADMIN setting in wp-config.php OFF. We’ll handle that — WordPress’ forcing of SSL admins may confuse this plugin.
This plugin was tested with and is intended to be used in concert with SSL Subdomain for Multisite.
Known Issues
The redirect_to parameter is not fully working at present. Sometimes, you will be sent to the root admin page, instead of the specific page you were trying to access. This needs to be improved, as it does compromise the user experience.
This provides better security than only enabling FORCE_SSL_LOGIN but not FORCE_SSL_ADMIN, since with this plugin and SSL Subdomain for Multisite, login and admin are served over HTTPS.
However, the nature of this setup means that a man-in-the-middle attacker could theoretically impersonate you for the duration of the login session. It is not possible at the moment to avoid this theoretical attack scenario without serving everything over HTTPS (making arbitrary custom domain support impossible), or preventing login to the actual custom domain site.
