wp-login.php 38 KB
Newer Older
godog's avatar
godog committed
1 2 3 4 5 6 7 8 9 10 11
<?php
/**
 * WordPress User Page
 *
 * Handles authentication, registering, resetting passwords, forgot password,
 * and other user handling.
 *
 * @package WordPress
 */

/** Make sure that the WordPress bootstrap has run before continuing. */
samba's avatar
samba committed
12
require( dirname( __FILE__ ) . '/wp-load.php' );
godog's avatar
godog committed
13

samba's avatar
samba committed
14
// Redirect to HTTPS login if forced to use SSL.
lechuck's avatar
lechuck committed
15
if ( force_ssl_admin() && ! is_ssl() ) {
samba's avatar
samba committed
16
	if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
kiki's avatar
kiki committed
17
		wp_safe_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
godog's avatar
godog committed
18 19
		exit();
	} else {
kiki's avatar
kiki committed
20
		wp_safe_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
godog's avatar
godog committed
21 22 23 24 25
		exit();
	}
}

/**
lucha's avatar
lucha committed
26
 * Output the login page header.
godog's avatar
godog committed
27
 *
samba's avatar
samba committed
28 29
 * @since 2.1.0
 *
lechuck's avatar
lechuck committed
30 31
 * @param string   $title    Optional. WordPress login Page title to display in the `<title>` element.
 *                           Default 'Log In'.
lucha's avatar
lucha committed
32
 * @param string   $message  Optional. Message to display in header. Default empty.
lucha's avatar
lucha committed
33
 * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance.
godog's avatar
godog committed
34
 */
lucha's avatar
lucha committed
35
function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
lucha's avatar
lucha committed
36
	global $error, $interim_login, $action;
godog's avatar
godog committed
37 38

	// Don't index any of these forms
lucha's avatar
lucha committed
39
	add_action( 'login_head', 'wp_sensitive_page_meta' );
godog's avatar
godog committed
40

lucha's avatar
lucha committed
41
	add_action( 'login_head', 'wp_login_viewport_meta' );
lucha's avatar
lucha committed
42

lucha's avatar
lucha committed
43
	if ( ! is_wp_error( $wp_error ) ) {
godog's avatar
godog committed
44
		$wp_error = new WP_Error();
lucha's avatar
lucha committed
45
	}
godog's avatar
godog committed
46 47 48

	// Shake it!
	$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
lucha's avatar
lucha committed
49
	/**
lucha's avatar
lucha committed
50
	 * Filters the error codes array for shaking the login form.
lucha's avatar
lucha committed
51 52 53 54 55
	 *
	 * @since 3.0.0
	 *
	 * @param array $shake_error_codes Error codes that shake the login form.
	 */
godog's avatar
godog committed
56 57
	$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );

samba's avatar
samba committed
58
	if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes ) ) {
godog's avatar
godog committed
59
		add_action( 'login_head', 'wp_shake_js', 12 );
samba's avatar
samba committed
60
	}
godog's avatar
godog committed
61

lucha's avatar
lucha committed
62 63 64 65 66 67 68 69 70 71 72 73 74 75
	$login_title = get_bloginfo( 'name', 'display' );

	/* translators: Login screen title. 1: Login screen name, 2: Network or site name */
	$login_title = sprintf( __( '%1$s &lsaquo; %2$s &#8212; WordPress' ), $title, $login_title );

	/**
	 * Filters the title tag content for login page.
	 *
	 * @since 4.9.0
	 *
	 * @param string $login_title The page title, with extra context added.
	 * @param string $title       The original page title.
	 */
	$login_title = apply_filters( 'login_title', $login_title, $title );
lechuck's avatar
lechuck committed
76

lechuck's avatar
lechuck committed
77
	?><!DOCTYPE html>
lucha's avatar
lucha committed
78 79 80 81 82 83
	<!--[if IE 8]>
		<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
	<![endif]-->
	<!--[if !(IE 8) ]><!-->
		<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
	<!--<![endif]-->
lechuck's avatar
lechuck committed
84
	<head>
samba's avatar
samba committed
85
	<meta http-equiv="Content-Type" content="<?php bloginfo( 'html_type' ); ?>; charset=<?php bloginfo( 'charset' ); ?>" />
lucha's avatar
lucha committed
86
	<title><?php echo $login_title; ?></title>
lechuck's avatar
lechuck committed
87 88
	<?php

lechuck's avatar
lechuck committed
89
	wp_enqueue_style( 'login' );
godog's avatar
godog committed
90

lucha's avatar
lucha committed
91 92 93
	/*
	 * Remove all stored post data on logging out.
	 * This could be added by add_action('login_head'...) like wp_shake_js(),
samba's avatar
samba committed
94
	 * but maybe better if it's not removable by plugins.
lucha's avatar
lucha committed
95
	 */
lechuck's avatar
lechuck committed
96 97 98 99
	if ( 'loggedout' == $wp_error->get_error_code() ) {
		?>
		<script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
		<?php
godog's avatar
godog committed
100 101
	}

lucha's avatar
lucha committed
102 103 104 105 106
	/**
	 * Enqueue scripts and styles for the login page.
	 *
	 * @since 3.1.0
	 */
root's avatar
root committed
107
	do_action( 'login_enqueue_scripts' );
lechuck's avatar
lechuck committed
108

lucha's avatar
lucha committed
109 110 111 112 113
	/**
	 * Fires in the login page header after scripts are enqueued.
	 *
	 * @since 2.1.0
	 */
lechuck's avatar
lechuck committed
114 115 116 117
	do_action( 'login_head' );

	if ( is_multisite() ) {
		$login_header_url   = network_home_url();
lucha's avatar
lucha committed
118
		$login_header_title = get_network()->site_name;
lechuck's avatar
lechuck committed
119
	} else {
lechuck's avatar
lechuck committed
120
		$login_header_url   = __( 'https://wordpress.org/' );
lechuck's avatar
lechuck committed
121 122 123
		$login_header_title = __( 'Powered by WordPress' );
	}

lucha's avatar
lucha committed
124
	/**
lucha's avatar
lucha committed
125
	 * Filters link URL of the header logo above login form.
lucha's avatar
lucha committed
126 127 128 129 130 131
	 *
	 * @since 2.1.0
	 *
	 * @param string $login_header_url Login header logo URL.
	 */
	$login_header_url = apply_filters( 'login_headerurl', $login_header_url );
lucha's avatar
lucha committed
132

lucha's avatar
lucha committed
133
	/**
lucha's avatar
lucha committed
134
	 * Filters the title attribute of the header logo above login form.
lucha's avatar
lucha committed
135 136 137 138 139
	 *
	 * @since 2.1.0
	 *
	 * @param string $login_header_title Login header logo title attribute.
	 */
lechuck's avatar
lechuck committed
140 141
	$login_header_title = apply_filters( 'login_headertitle', $login_header_title );

lucha's avatar
lucha committed
142 143 144 145 146 147 148 149 150 151
	/*
	 * To match the URL/title set above, Multisite sites have the blog name,
	 * while single sites get the header title.
	 */
	if ( is_multisite() ) {
		$login_header_text = get_bloginfo( 'name', 'display' );
	} else {
		$login_header_text = $login_header_title;
	}

lechuck's avatar
lechuck committed
152
	$classes = array( 'login-action-' . $action, 'wp-core-ui' );
samba's avatar
samba committed
153
	if ( is_rtl() ) {
lechuck's avatar
lechuck committed
154
		$classes[] = 'rtl';
samba's avatar
samba committed
155
	}
lechuck's avatar
lechuck committed
156 157 158 159 160 161
	if ( $interim_login ) {
		$classes[] = 'interim-login';
		?>
		<style type="text/css">html{background-color: transparent;}</style>
		<?php

samba's avatar
samba committed
162
		if ( 'success' === $interim_login ) {
lechuck's avatar
lechuck committed
163
			$classes[] = 'interim-login-success';
samba's avatar
samba committed
164
		}
lechuck's avatar
lechuck committed
165
	}
samba's avatar
samba committed
166
	$classes[] = ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
lechuck's avatar
lechuck committed
167

lucha's avatar
lucha committed
168
	/**
lucha's avatar
lucha committed
169
	 * Filters the login page body classes.
lucha's avatar
lucha committed
170 171 172 173 174 175
	 *
	 * @since 3.5.0
	 *
	 * @param array  $classes An array of body classes.
	 * @param string $action  The action that brought the visitor to the login page.
	 */
lechuck's avatar
lechuck committed
176
	$classes = apply_filters( 'login_body_class', $classes, $action );
lechuck's avatar
lechuck committed
177

lechuck's avatar
lechuck committed
178 179
	?>
	</head>
lechuck's avatar
lechuck committed
180
	<body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
lucha's avatar
lucha committed
181 182 183 184 185 186 187 188
	<?php
	/**
	 * Fires in the login page header after the body tag is opened.
	 *
	 * @since 4.6.0
	 */
	do_action( 'login_header' );
	?>
lechuck's avatar
lechuck committed
189
	<div id="login">
samba's avatar
samba committed
190
		<h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>"><?php echo $login_header_text; ?></a></h1>
lechuck's avatar
lechuck committed
191 192 193
	<?php

	unset( $login_header_url, $login_header_title );
godog's avatar
godog committed
194

lucha's avatar
lucha committed
195
	/**
lucha's avatar
lucha committed
196
	 * Filters the message to display above the login form.
lucha's avatar
lucha committed
197 198 199 200 201 202
	 *
	 * @since 2.1.0
	 *
	 * @param string $message Login message text.
	 */
	$message = apply_filters( 'login_message', $message );
samba's avatar
samba committed
203
	if ( ! empty( $message ) ) {
lechuck's avatar
lechuck committed
204
		echo $message . "\n";
samba's avatar
samba committed
205
	}
godog's avatar
godog committed
206

samba's avatar
samba committed
207 208 209 210
	// In case a plugin uses $error rather than the $wp_errors object.
	if ( ! empty( $error ) ) {
		$wp_error->add( 'error', $error );
		unset( $error );
godog's avatar
godog committed
211 212
	}

samba's avatar
samba committed
213 214
	if ( $wp_error->has_errors() ) {
		$errors   = '';
godog's avatar
godog committed
215 216
		$messages = '';
		foreach ( $wp_error->get_error_codes() as $code ) {
lucha's avatar
lucha committed
217 218
			$severity = $wp_error->get_error_data( $code );
			foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
samba's avatar
samba committed
219
				if ( 'message' == $severity ) {
lucha's avatar
lucha committed
220
					$messages .= '	' . $error_message . "<br />\n";
samba's avatar
samba committed
221
				} else {
lucha's avatar
lucha committed
222
					$errors .= '	' . $error_message . "<br />\n";
samba's avatar
samba committed
223
				}
godog's avatar
godog committed
224 225
			}
		}
lucha's avatar
lucha committed
226 227
		if ( ! empty( $errors ) ) {
			/**
lucha's avatar
lucha committed
228
			 * Filters the error messages displayed above the login form.
lucha's avatar
lucha committed
229 230 231 232 233 234 235 236 237
			 *
			 * @since 2.1.0
			 *
			 * @param string $errors Login error message.
			 */
			echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
		}
		if ( ! empty( $messages ) ) {
			/**
lucha's avatar
lucha committed
238
			 * Filters instructional messages displayed above the login form.
lucha's avatar
lucha committed
239 240 241 242 243 244 245
			 *
			 * @since 2.5.0
			 *
			 * @param string $messages Login messages.
			 */
			echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
		}
godog's avatar
godog committed
246 247
	}
} // End of login_header()
root's avatar
root committed
248 249 250 251

/**
 * Outputs the footer for the login page.
 *
samba's avatar
samba committed
252 253 254
 * @since 3.1.0
 *
 * @param string $input_id Which input to auto-focus.
root's avatar
root committed
255
 */
samba's avatar
samba committed
256
function login_footer( $input_id = '' ) {
lechuck's avatar
lechuck committed
257 258 259
	global $interim_login;

	// Don't allow interim logins to navigate away from the page.
samba's avatar
samba committed
260 261 262 263
	if ( ! $interim_login ) :
		?>
	<p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>">
		<?php
lucha's avatar
lucha committed
264 265
		/* translators: %s: site title */
		printf( _x( '&larr; Back to %s', 'site' ), get_bloginfo( 'title', 'display' ) );
samba's avatar
samba committed
266 267 268
		?>
	</a></p>
		<?php the_privacy_policy_link( '<div class="privacy-policy-page-link">', '</div>' ); ?>
lechuck's avatar
lechuck committed
269
	<?php endif; ?>
root's avatar
root committed
270

lechuck's avatar
lechuck committed
271
	</div>
shammash's avatar
shammash committed
272

samba's avatar
samba committed
273
	<?php if ( ! empty( $input_id ) ) : ?>
lechuck's avatar
lechuck committed
274 275 276 277 278 279
	<script type="text/javascript">
	try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
	if(typeof wpOnload=='function')wpOnload();
	</script>
	<?php endif; ?>

lucha's avatar
lucha committed
280 281 282 283 284 285
	<?php
	/**
	 * Fires in the login page footer.
	 *
	 * @since 3.1.0
	 */
samba's avatar
samba committed
286 287
	do_action( 'login_footer' );
	?>
lechuck's avatar
lechuck committed
288 289 290 291
	<div class="clear"></div>
	</body>
	</html>
	<?php
root's avatar
root committed
292 293
}

lechuck's avatar
lechuck committed
294
/**
samba's avatar
samba committed
295 296
 * Outputs the Javascript to handle the form shaking.
 *
lechuck's avatar
lechuck committed
297 298
 * @since 3.0.0
 */
godog's avatar
godog committed
299
function wp_shake_js() {
samba's avatar
samba committed
300
	?>
godog's avatar
godog committed
301 302 303 304 305 306 307
<script type="text/javascript">
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
function s(id,pos){g(id).left=pos+'px';}
function g(id){return document.getElementById(id).style;}
function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
</script>
samba's avatar
samba committed
308
	<?php
godog's avatar
godog committed
309 310
}

lechuck's avatar
lechuck committed
311
/**
samba's avatar
samba committed
312 313
 * Outputs the viewport meta tag.
 *
lechuck's avatar
lechuck committed
314 315
 * @since 3.7.0
 */
lucha's avatar
lucha committed
316 317 318 319 320 321
function wp_login_viewport_meta() {
	?>
	<meta name="viewport" content="width=device-width" />
	<?php
}

godog's avatar
godog committed
322 323 324
/**
 * Handles sending password retrieval email to user.
 *
samba's avatar
samba committed
325 326
 * @since 2.5.0
 *
godog's avatar
godog committed
327 328 329 330 331
 * @return bool|WP_Error True: when finish. WP_Error on error
 */
function retrieve_password() {
	$errors = new WP_Error();

lucha's avatar
lucha committed
332
	if ( empty( $_POST['user_login'] ) || ! is_string( $_POST['user_login'] ) ) {
samba's avatar
samba committed
333
		$errors->add( 'empty_username', __( '<strong>ERROR</strong>: Enter a username or email address.' ) );
ale's avatar
ale committed
334
	} elseif ( strpos( $_POST['user_login'], '@' ) ) {
lucha's avatar
lucha committed
335
		$user_data = get_user_by( 'email', trim( wp_unslash( $_POST['user_login'] ) ) );
samba's avatar
samba committed
336 337 338
		if ( empty( $user_data ) ) {
			$errors->add( 'invalid_email', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
		}
godog's avatar
godog committed
339
	} else {
samba's avatar
samba committed
340 341
		$login     = trim( $_POST['user_login'] );
		$user_data = get_user_by( 'login', $login );
godog's avatar
godog committed
342 343
	}

lucha's avatar
lucha committed
344 345 346 347
	/**
	 * Fires before errors are returned from a password reset request.
	 *
	 * @since 2.1.0
lechuck's avatar
lechuck committed
348 349 350 351
	 * @since 4.4.0 Added the `$errors` parameter.
	 *
	 * @param WP_Error $errors A WP_Error object containing any errors generated
	 *                         by using invalid credentials.
lucha's avatar
lucha committed
352
	 */
lechuck's avatar
lechuck committed
353
	do_action( 'lostpassword_post', $errors );
godog's avatar
godog committed
354

samba's avatar
samba committed
355
	if ( $errors->has_errors() ) {
godog's avatar
godog committed
356
		return $errors;
samba's avatar
samba committed
357
	}
godog's avatar
godog committed
358

samba's avatar
samba committed
359 360
	if ( ! $user_data ) {
		$errors->add( 'invalidcombo', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
godog's avatar
godog committed
361 362 363
		return $errors;
	}

lucha's avatar
lucha committed
364
	// Redefining user_login ensures we return the right case in the email.
godog's avatar
godog committed
365 366
	$user_login = $user_data->user_login;
	$user_email = $user_data->user_email;
samba's avatar
samba committed
367
	$key        = get_password_reset_key( $user_data );
godog's avatar
godog committed
368

lechuck's avatar
lechuck committed
369 370
	if ( is_wp_error( $key ) ) {
		return $key;
ale's avatar
ale committed
371
	}
godog's avatar
godog committed
372

lucha's avatar
lucha committed
373
	if ( is_multisite() ) {
lucha's avatar
lucha committed
374
		$site_name = get_network()->site_name;
lucha's avatar
lucha committed
375
	} else {
lucha's avatar
lucha committed
376 377 378 379
		/*
		 * The blogname option is escaped with esc_html on the way into the database
		 * in sanitize_option we want to reverse this for the plain text arena of emails.
		 */
lucha's avatar
lucha committed
380
		$site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
lucha's avatar
lucha committed
381
	}
godog's avatar
godog committed
382

lucha's avatar
lucha committed
383 384
	$message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n";
	/* translators: %s: site name */
samba's avatar
samba committed
385
	$message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
lucha's avatar
lucha committed
386
	/* translators: %s: user login */
samba's avatar
samba committed
387
	$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
lucha's avatar
lucha committed
388 389 390 391 392 393
	$message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n";
	$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
	$message .= '<' . network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . ">\r\n";

	/* translators: Password reset email subject. %s: Site name */
	$title = sprintf( __( '[%s] Password Reset' ), $site_name );
godog's avatar
godog committed
394

lucha's avatar
lucha committed
395
	/**
lucha's avatar
lucha committed
396
	 * Filters the subject of the password reset email.
lucha's avatar
lucha committed
397 398
	 *
	 * @since 2.8.0
lechuck's avatar
lechuck committed
399
	 * @since 4.4.0 Added the `$user_login` and `$user_data` parameters.
lucha's avatar
lucha committed
400
	 *
lechuck's avatar
lechuck committed
401 402 403
	 * @param string  $title      Default email title.
	 * @param string  $user_login The username for the user.
	 * @param WP_User $user_data  WP_User object.
lucha's avatar
lucha committed
404
	 */
lechuck's avatar
lechuck committed
405
	$title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data );
lechuck's avatar
lechuck committed
406

lucha's avatar
lucha committed
407
	/**
lucha's avatar
lucha committed
408
	 * Filters the message body of the password reset mail.
lucha's avatar
lucha committed
409
	 *
lucha's avatar
lucha committed
410 411
	 * If the filtered message is empty, the password reset email will not be sent.
	 *
lucha's avatar
lucha committed
412
	 * @since 2.8.0
lechuck's avatar
lechuck committed
413
	 * @since 4.1.0 Added `$user_login` and `$user_data` parameters.
lucha's avatar
lucha committed
414
	 *
lechuck's avatar
lechuck committed
415 416 417 418
	 * @param string  $message    Default mail message.
	 * @param string  $key        The activation key.
	 * @param string  $user_login The username for the user.
	 * @param WP_User $user_data  WP_User object.
lucha's avatar
lucha committed
419
	 */
lechuck's avatar
lechuck committed
420
	$message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );
godog's avatar
godog committed
421

samba's avatar
samba committed
422 423 424
	if ( $message && ! wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) {
		wp_die( __( 'The email could not be sent.' ) . "<br />\n" . __( 'Possible reason: your host may have disabled the mail() function.' ) );
	}
godog's avatar
godog committed
425 426 427 428 429

	return true;
}

//
samba's avatar
samba committed
430
// Main.
godog's avatar
godog committed
431 432
//

samba's avatar
samba committed
433
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login';
godog's avatar
godog committed
434 435
$errors = new WP_Error();

samba's avatar
samba committed
436
if ( isset( $_GET['key'] ) ) {
godog's avatar
godog committed
437
	$action = 'resetpass';
samba's avatar
samba committed
438
}
godog's avatar
godog committed
439

samba's avatar
samba committed
440 441
// Validate action so as to default to the login screen.
if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'confirmaction' ), true ) && false === has_filter( 'login_form_' . $action ) ) {
godog's avatar
godog committed
442
	$action = 'login';
samba's avatar
samba committed
443
}
godog's avatar
godog committed
444 445 446

nocache_headers();

samba's avatar
samba committed
447
header( 'Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) );
godog's avatar
godog committed
448

lechuck's avatar
lechuck committed
449
if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set
samba's avatar
samba committed
450
	if ( isset( $_SERVER['PATH_INFO'] ) && ( $_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF'] ) ) {
godog's avatar
godog committed
451
		$_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
samba's avatar
samba committed
452
	}
godog's avatar
godog committed
453

samba's avatar
samba committed
454 455
	$url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) );
	if ( $url != get_option( 'siteurl' ) ) {
lechuck's avatar
lechuck committed
456
		update_option( 'siteurl', $url );
samba's avatar
samba committed
457
	}
godog's avatar
godog committed
458 459 460
}

//Set a cookie now to see if they are supported by the browser.
lechuck's avatar
lechuck committed
461
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
lucha's avatar
lucha committed
462
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
samba's avatar
samba committed
463
if ( SITECOOKIEPATH != COOKIEPATH ) {
lucha's avatar
lucha committed
464
	setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
samba's avatar
samba committed
465
}
godog's avatar
godog committed
466

lucha's avatar
lucha committed
467 468 469 470 471
/**
 * Fires when the login form is initialized.
 *
 * @since 3.2.0
 */
shammash's avatar
shammash committed
472
do_action( 'login_init' );
lucha's avatar
lucha committed
473

lucha's avatar
lucha committed
474 475 476
/**
 * Fires before a specified login form action.
 *
lechuck's avatar
lechuck committed
477
 * The dynamic portion of the hook name, `$action`, refers to the action
lucha's avatar
lucha committed
478 479 480 481 482
 * that brought the visitor to the login form. Actions include 'postpass',
 * 'logout', 'lostpassword', etc.
 *
 * @since 2.8.0
 */
lucha's avatar
lucha committed
483
do_action( "login_form_{$action}" );
godog's avatar
godog committed
484

samba's avatar
samba committed
485 486
$http_post     = ( 'POST' == $_SERVER['REQUEST_METHOD'] );
$interim_login = isset( $_REQUEST['interim-login'] );
lechuck's avatar
lechuck committed
487

lucha's avatar
lucha committed
488 489 490 491 492 493 494 495 496
/**
 * Filters the separator used between login form navigation links.
 *
 * @since 4.9.0
 *
 * @param string $login_link_separator The separator used between login form navigation links.
 */
$login_link_separator = apply_filters( 'login_link_separator', ' | ' );

samba's avatar
samba committed
497
switch ( $action ) {
lechuck's avatar
lechuck committed
498

samba's avatar
samba committed
499 500 501 502 503
	case 'postpass':
		if ( ! array_key_exists( 'post_password', $_POST ) ) {
			wp_safe_redirect( wp_get_referer() );
			exit();
		}
lechuck's avatar
lechuck committed
504

samba's avatar
samba committed
505 506
		require_once ABSPATH . WPINC . '/class-phpass.php';
		$hasher = new PasswordHash( 8, true );
lechuck's avatar
lechuck committed
507

samba's avatar
samba committed
508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525
		/**
		 * Filters the life span of the post password cookie.
		 *
		 * By default, the cookie expires 10 days from creation. To turn this
		 * into a session cookie, return 0.
		 *
		 * @since 3.7.0
		 *
		 * @param int $expires The expiry time, as passed to setcookie().
		 */
		$expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
		$referer = wp_get_referer();
		if ( $referer ) {
			$secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
		} else {
			$secure = false;
		}
		setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
lechuck's avatar
lechuck committed
526

samba's avatar
samba committed
527 528
		wp_safe_redirect( wp_get_referer() );
		exit();
ale's avatar
ale committed
529

samba's avatar
samba committed
530 531
	case 'logout':
		check_admin_referer( 'log-out' );
ale's avatar
ale committed
532

samba's avatar
samba committed
533
		$user = wp_get_current_user();
godog's avatar
godog committed
534

samba's avatar
samba committed
535
		wp_logout();
ale's avatar
ale committed
536

samba's avatar
samba committed
537 538 539 540 541 542
		if ( ! empty( $_REQUEST['redirect_to'] ) ) {
			$redirect_to = $requested_redirect_to = $_REQUEST['redirect_to'];
		} else {
			$redirect_to           = 'wp-login.php?loggedout=true';
			$requested_redirect_to = '';
		}
godog's avatar
godog committed
543

samba's avatar
samba committed
544 545 546 547 548 549 550 551 552 553 554 555
		/**
		 * Filters the log out redirect URL.
		 *
		 * @since 4.2.0
		 *
		 * @param string  $redirect_to           The redirect destination URL.
		 * @param string  $requested_redirect_to The requested redirect destination URL passed as a parameter.
		 * @param WP_User $user                  The WP_User object for the user that's logging out.
		 */
		$redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user );
		wp_safe_redirect( $redirect_to );
		exit();
root's avatar
root committed
556

samba's avatar
samba committed
557 558 559 560 561 562 563 564 565
	case 'lostpassword':
	case 'retrievepassword':
		if ( $http_post ) {
			$errors = retrieve_password();
			if ( ! is_wp_error( $errors ) ) {
				$redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
				wp_safe_redirect( $redirect_to );
				exit();
			}
godog's avatar
godog committed
566 567
		}

samba's avatar
samba committed
568 569 570 571 572 573
		if ( isset( $_GET['error'] ) ) {
			if ( 'invalidkey' == $_GET['error'] ) {
				$errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) );
			} elseif ( 'expiredkey' == $_GET['error'] ) {
				$errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
			}
lechuck's avatar
lechuck committed
574
		}
lucha's avatar
lucha committed
575

samba's avatar
samba committed
576 577 578 579 580 581 582 583 584
		$lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
		/**
		 * Filters the URL redirected to after submitting the lostpassword/retrievepassword form.
		 *
		 * @since 3.0.0
		 *
		 * @param string $lostpassword_redirect The redirect destination URL.
		 */
		$redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
lucha's avatar
lucha committed
585

samba's avatar
samba committed
586 587 588 589 590 591 592 593 594 595
		/**
		 * Fires before the lost password form.
		 *
		 * @since 1.5.1
		 * @since 5.1.0 Added the `$errors` parameter.
		 *
		 * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid
		 *                         credentials. Note that the error object may not contain any errors.
		 */
		do_action( 'lost_password', $errors );
godog's avatar
godog committed
596

samba's avatar
samba committed
597
		login_header( __( 'Lost Password' ), '<p class="message">' . __( 'Please enter your username or email address. You will receive a link to create a new password via email.' ) . '</p>', $errors );
godog's avatar
godog committed
598

samba's avatar
samba committed
599
		$user_login = '';
lucha's avatar
lucha committed
600

samba's avatar
samba committed
601 602 603
		if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
			$user_login = wp_unslash( $_POST['user_login'] );
		}
godog's avatar
godog committed
604

samba's avatar
samba committed
605
		?>
godog's avatar
godog committed
606

samba's avatar
samba committed
607
	<form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
godog's avatar
godog committed
608
	<p>
lucha's avatar
lucha committed
609
		<label for="user_login" ><?php _e( 'Username or Email Address' ); ?><br />
samba's avatar
samba committed
610
		<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" /></label>
godog's avatar
godog committed
611
	</p>
samba's avatar
samba committed
612 613 614 615 616 617 618 619 620 621 622
		<?php
		/**
		 * Fires inside the lostpassword form tags, before the hidden fields.
		 *
		 * @since 2.1.0
		 */
		do_action( 'lostpassword_form' );
		?>
		<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
		<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Get New Password' ); ?>" /></p>
	</form>
godog's avatar
godog committed
623

samba's avatar
samba committed
624 625 626 627 628
	<p id="nav">
	<a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
		<?php
		if ( get_option( 'users_can_register' ) ) :
			$registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
lucha's avatar
lucha committed
629

samba's avatar
samba committed
630
			echo esc_html( $login_link_separator );
lucha's avatar
lucha committed
631

samba's avatar
samba committed
632 633 634 635 636
			/** This filter is documented in wp-includes/general-template.php */
			echo apply_filters( 'register', $registration_url );
	endif;
		?>
	</p>
godog's avatar
godog committed
637

samba's avatar
samba committed
638 639 640 641 642 643 644 645 646 647 648 649 650 651 652
		<?php
		login_footer( 'user_login' );

		break;

	case 'resetpass':
	case 'rp':
		list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
		$rp_cookie       = 'wp-resetpass-' . COOKIEHASH;
		if ( isset( $_GET['key'] ) ) {
			$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
			setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
			wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
			exit;
		}
lechuck's avatar
lechuck committed
653

samba's avatar
samba committed
654 655 656 657 658 659 660
		if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
			list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
			$user                      = check_password_reset_key( $rp_key, $rp_login );
			if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
				$user = false;
			}
		} else {
lechuck's avatar
lechuck committed
661 662
			$user = false;
		}
godog's avatar
godog committed
663

samba's avatar
samba committed
664 665 666 667 668 669 670 671 672
		if ( ! $user || is_wp_error( $user ) ) {
			setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
			if ( $user && $user->get_error_code() === 'expired_key' ) {
				wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
			} else {
				wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
			}
			exit;
		}
lechuck's avatar
lechuck committed
673

samba's avatar
samba committed
674
		$errors = new WP_Error();
lechuck's avatar
lechuck committed
675

samba's avatar
samba committed
676 677 678
		if ( isset( $_POST['pass1'] ) && $_POST['pass1'] != $_POST['pass2'] ) {
			$errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
		}
root's avatar
root committed
679

samba's avatar
samba committed
680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696
		/**
		 * Fires before the password reset procedure is validated.
		 *
		 * @since 3.5.0
		 *
		 * @param object           $errors WP Error object.
		 * @param WP_User|WP_Error $user   WP_User object if the login and reset key match. WP_Error object otherwise.
		 */
		do_action( 'validate_password_reset', $errors, $user );

		if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) {
			reset_password( $user, $_POST['pass1'] );
			setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
			login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
			login_footer();
			exit;
		}
godog's avatar
godog committed
697

samba's avatar
samba committed
698 699
		wp_enqueue_script( 'utils' );
		wp_enqueue_script( 'user-profile' );
root's avatar
root committed
700

samba's avatar
samba committed
701
		login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below.' ) . '</p>', $errors );
root's avatar
root committed
702

samba's avatar
samba committed
703 704
		?>
	<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
lechuck's avatar
lechuck committed
705
	<input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />
root's avatar
root committed
706

lechuck's avatar
lechuck committed
707 708
	<div class="user-pass1-wrap">
		<p>
samba's avatar
samba committed
709
			<label for="pass1"><?php _e( 'New password' ); ?></label>
lechuck's avatar
lechuck committed
710 711
		</p>

lechuck's avatar
lechuck committed
712
		<div class="wp-pwd">
lucha's avatar
lucha committed
713 714 715 716 717 718
			<div class="password-input-wrapper">
				<input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="off" aria-describedby="pass-strength-result" />
				<span class="button button-secondary wp-hide-pw hide-if-no-js">
					<span class="dashicons dashicons-hidden"></span>
				</span>
			</div>
lechuck's avatar
lechuck committed
719 720
			<div id="pass-strength-result" class="hide-if-no-js" aria-live="polite"><?php _e( 'Strength indicator' ); ?></div>
		</div>
lucha's avatar
lucha committed
721 722 723 724 725 726
		<div class="pw-weak">
			<label>
				<input type="checkbox" name="pw_weak" class="pw-checkbox" />
				<?php _e( 'Confirm use of weak password' ); ?>
			</label>
		</div>
lechuck's avatar
lechuck committed
727 728
	</div>

lechuck's avatar
lechuck committed
729
	<p class="user-pass2-wrap">
samba's avatar
samba committed
730
		<label for="pass2"><?php _e( 'Confirm new password' ); ?></label><br />
lechuck's avatar
lechuck committed
731
		<input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off" />
root's avatar
root committed
732 733
	</p>

lechuck's avatar
lechuck committed
734
	<p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p>
root's avatar
root committed
735
	<br class="clear" />
lechuck's avatar
lechuck committed
736

samba's avatar
samba committed
737 738 739 740 741 742 743 744 745 746
		<?php
		/**
		 * Fires following the 'Strength indicator' meter in the user password reset form.
		 *
		 * @since 3.9.0
		 *
		 * @param WP_User $user User object of the user whose password is being reset.
		 */
		do_action( 'resetpass_form', $user );
		?>
lechuck's avatar
lechuck committed
747
	<input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
samba's avatar
samba committed
748 749
	<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Reset Password' ); ?>" /></p>
	</form>
root's avatar
root committed
750

samba's avatar
samba committed
751 752 753 754 755
	<p id="nav">
	<a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
		<?php
		if ( get_option( 'users_can_register' ) ) :
			$registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
lucha's avatar
lucha committed
756

samba's avatar
samba committed
757
			echo esc_html( $login_link_separator );
lucha's avatar
lucha committed
758

samba's avatar
samba committed
759 760 761 762 763
			/** This filter is documented in wp-includes/general-template.php */
			echo apply_filters( 'register', $registration_url );
	endif;
		?>
	</p>
root's avatar
root committed
764

samba's avatar
samba committed
765 766
		<?php
		login_footer( 'user_pass' );
lucha's avatar
lucha committed
767

samba's avatar
samba committed
768
		break;
godog's avatar
godog committed
769

samba's avatar
samba committed
770 771 772 773 774 775 776 777 778 779 780 781
	case 'register':
		if ( is_multisite() ) {
			/**
			 * Filters the Multisite sign up URL.
			 *
			 * @since 3.0.0
			 *
			 * @param string $sign_up_url The sign up URL.
			 */
			wp_redirect( apply_filters( 'wp_signup_location', network_site_url( 'wp-signup.php' ) ) );
			exit;
		}
godog's avatar
godog committed
782

samba's avatar
samba committed
783 784 785 786
		if ( ! get_option( 'users_can_register' ) ) {
			wp_redirect( site_url( 'wp-login.php?registration=disabled' ) );
			exit();
		}
godog's avatar
godog committed
787

samba's avatar
samba committed
788 789
		$user_login = '';
		$user_email = '';
lucha's avatar
lucha committed
790

samba's avatar
samba committed
791 792 793 794
		if ( $http_post ) {
			if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
				$user_login = $_POST['user_login'];
			}
lucha's avatar
lucha committed
795

samba's avatar
samba committed
796 797 798
			if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) {
				$user_email = wp_unslash( $_POST['user_email'] );
			}
lucha's avatar
lucha committed
799

samba's avatar
samba committed
800 801 802 803 804 805
			$errors = register_new_user( $user_login, $user_email );
			if ( ! is_wp_error( $errors ) ) {
				$redirect_to = ! empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
				wp_safe_redirect( $redirect_to );
				exit();
			}
godog's avatar
godog committed
806 807
		}

samba's avatar
samba committed
808 809 810 811 812 813 814 815 816 817 818 819
		$registration_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
		/**
		 * Filters the registration redirect URL.
		 *
		 * @since 3.0.0
		 *
		 * @param string $registration_redirect The redirect destination URL.
		 */
		$redirect_to = apply_filters( 'registration_redirect', $registration_redirect );
		login_header( __( 'Registration Form' ), '<p class="message register">' . __( 'Register For This Site' ) . '</p>', $errors );
		?>
	<form name="registerform" id="registerform" action="<?php echo esc_url( site_url( 'wp-login.php?action=register', 'login_post' ) ); ?>" method="post" novalidate="novalidate">
godog's avatar
godog committed
820
	<p>
samba's avatar
samba committed
821 822
		<label for="user_login"><?php _e( 'Username' ); ?><br />
		<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( wp_unslash( $user_login ) ); ?>" size="20" autocapitalize="off" /></label>
godog's avatar
godog committed
823 824
	</p>
	<p>
samba's avatar
samba committed
825
		<label for="user_email"><?php _e( 'Email' ); ?><br />
lucha's avatar
lucha committed
826
		<input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" /></label>
godog's avatar
godog committed
827
	</p>
samba's avatar
samba committed
828 829 830 831 832 833 834 835
		<?php
		/**
		 * Fires following the 'Email' field in the user registration form.
		 *
		 * @since 2.1.0
		 */
		do_action( 'register_form' );
		?>
lechuck's avatar
lechuck committed
836
	<p id="reg_passmail"><?php _e( 'Registration confirmation will be emailed to you.' ); ?></p>
godog's avatar
godog committed
837 838
	<br class="clear" />
	<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
samba's avatar
samba committed
839 840
	<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Register' ); ?>" /></p>
	</form>
godog's avatar
godog committed
841

samba's avatar
samba committed
842 843 844 845 846
	<p id="nav">
	<a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
		<?php echo esc_html( $login_link_separator ); ?>
	<a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a>
	</p>
godog's avatar
godog committed
847

samba's avatar
samba committed
848 849
		<?php
		login_footer( 'user_login' );
kiki's avatar
kiki committed
850

samba's avatar
samba committed
851
		break;
kiki's avatar
kiki committed
852

samba's avatar
samba committed
853 854 855 856
	case 'confirmaction':
		if ( ! isset( $_GET['request_id'] ) ) {
			wp_die( __( 'Invalid request.' ) );
		}
kiki's avatar
kiki committed
857

samba's avatar
samba committed
858
		$request_id = (int) $_GET['request_id'];
kiki's avatar
kiki committed
859

samba's avatar
samba committed
860 861 862 863 864 865
		if ( isset( $_GET['confirm_key'] ) ) {
			$key    = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
			$result = wp_validate_user_request_key( $request_id, $key );
		} else {
			$result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
		}
kiki's avatar
kiki committed
866

samba's avatar
samba committed
867 868 869
		if ( is_wp_error( $result ) ) {
			wp_die( $result );
		}
kiki's avatar
kiki committed
870

samba's avatar
samba committed
871 872 873 874 875 876 877 878 879 880 881 882 883 884
		/**
		 * Fires an action hook when the account action has been confirmed by the user.
		 *
		 * Using this you can assume the user has agreed to perform the action by
		 * clicking on the link in the confirmation email.
		 *
		 * After firing this action hook the page will redirect to wp-login a callback
		 * redirects or exits first.
		 *
		 * @since 4.9.6
		 *
		 * @param int $request_id Request ID.
		 */
		do_action( 'user_request_action_confirmed', $request_id );
godog's avatar
godog committed
885

samba's avatar
samba committed
886
		$message = _wp_privacy_account_request_confirmed_message( $request_id );
lechuck's avatar
lechuck committed
887

samba's avatar
samba committed
888 889 890
		login_header( __( 'User action confirmed.' ), $message );
		login_footer();
		exit;
lechuck's avatar
lechuck committed
891

samba's avatar
samba committed
892 893 894 895 896 897
	case 'login':
	default:
		$secure_cookie   = '';
		$customize_login = isset( $_REQUEST['customize-login'] );
		if ( $customize_login ) {
			wp_enqueue_script( 'customize-base' );
godog's avatar
godog committed
898 899
		}

samba's avatar
samba committed
900 901 902 903
		// If the user wants SSL but the session is not SSL, force a secure cookie.
		if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) {
			$user_name = sanitize_user( $_POST['log'] );
			$user      = get_user_by( 'login', $user_name );
godog's avatar
godog committed
904

samba's avatar
samba committed
905 906 907
			if ( ! $user && strpos( $user_name, '@' ) ) {
				$user = get_user_by( 'email', $user_name );
			}
godog's avatar
godog committed
908

samba's avatar
samba committed
909 910 911 912 913 914 915
			if ( $user ) {
				if ( get_user_option( 'use_ssl', $user->ID ) ) {
					$secure_cookie = true;
					force_ssl_admin( true );
				}
			}
		}
lechuck's avatar
lechuck committed
916

samba's avatar
samba committed
917 918 919 920 921 922 923 924
		if ( isset( $_REQUEST['redirect_to'] ) ) {
			$redirect_to = $_REQUEST['redirect_to'];
			// Redirect to HTTPS if user wants SSL.
			if ( $secure_cookie && false !== strpos( $redirect_to, 'wp-admin' ) ) {
				$redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to );
			}
		} else {
			$redirect_to = admin_url();
lechuck's avatar
lechuck committed
925
		}
lucha's avatar
lucha committed
926

samba's avatar
samba committed
927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953
		$reauth = empty( $_REQUEST['reauth'] ) ? false : true;

		$user = wp_signon( array(), $secure_cookie );

		if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
			if ( headers_sent() ) {
				$user = new WP_Error(
					'test_cookie',
					sprintf(
						/* translators: 1: Browser cookie documentation URL, 2: Support forums URL */
						__( '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ),
						__( 'https://codex.wordpress.org/Cookies' ),
						__( 'https://wordpress.org/support/' )
					)
				);
			} elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) {
				// If cookies are disabled we can't log in even with a valid user+pass
				$user = new WP_Error(
					'test_cookie',
					sprintf(
						/* translators: %s: Browser cookie documentation URL */
						__( '<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
						__( 'https://codex.wordpress.org/Cookies' )
					)
				);
			}
		}
godog's avatar
godog committed
954

samba's avatar
samba committed
955 956 957