WordPress HTTPS with Cookie Handling

1. <?php
2. /*
3. Plugin Name: WordPress HTTPS
4. Plugin URI: http://mvied.com/projects/wordpress-https/
5. Description: WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites. Free support provided!
6. Author: Mike Ems
7. Version: 1.8.5
8. Author URI: http://mvied.com/
9. */
10.  
11. /**
12. * Class for the WordPress plugin WordPress HTTPS
13. *
14. * @author  Mike Ems
15. * @package WordPressHTTPS
16. * @copyright Copyright 2010
17. *
18. */
19.  
20. if ( !class_exists('WordPressHTTPS') ) {
21.  class WordPressHTTPS {
22.  
23.   /**
24.    * Plugin version
25.    *
26.    * @var int
27.    */
28.   var $plugin_version = '1.8.5';
29.  
30.   /**
31.    * Plugin URL
32.    *
33.    * @var string
34.    */
35.   var $plugin_url;
36.  
37.   /**
38.    * HTTP URL
39.    *
40.    * @var string
41.    */
42.   var $http_url;
43.  
44.   /**
45.    * HTTPS URL
46.    *
47.    * @var string
48.    */
49.   var $https_url;
50.  
51.   /**
52.    * Shared SSL
53.    *
54.    * @var boolean
55.    */
56.   var $shared_ssl = 0;
57.  
58.   /**
59.    * Default options
60.    *
61.    * @var array
62.    */
63.   var $options_default;
64.  
65.   /**
66.    * Initialize plugin
67.    *
68.    * @param none
69.    * @return void
70.    */
71.   function __construct() {
72.    // Assign plugin_url
73.    if ( version_compare( get_bloginfo('version'), '2.8', '>=' ) ) {
74.     $this->plugin_url = plugins_url('', __FILE__);
75.    } else {
76.     $this->plugin_url = WP_PLUGIN_URL . '/' . plugin_basename(dirname(__FILE__));
77.    }
78.  
79.    // Assign HTTP URL
80.    $this->http_url = 'http://' . parse_url(get_option('home'), PHP_URL_HOST);
81.    // Assign HTTPS URL
82.    $this->https_url = $this->replace_http($this->http_url);
83.  
84.    // Shared SSL
85.    if (get_option('wordpress-https_sharedssl') == 1 && get_option('wordpress-https_sharedssl_host') != '') {
86.     // Turn on Shared SSL
87.     $this->shared_ssl = 1;
88.     // Assign HTTPS URL to Shared SSL Host
89.     $this->https_url = get_option('wordpress-https_sharedssl_host');
90.     // Prevent WordPress from causing a redirect loop
91.     remove_filter('template_redirect', 'redirect_canonical');
92.    }
93.  
94.    // Define default options
95.    $this->options_default = array(
96.     'wordpress-https_internalurls'         => 1, // Force internal URL's to HTTPS
97.     'wordpress-https_externalurls'         => 0, // Force external URL's to HTTPS
98.     'wordpress-https_bypass'               => 0, // Bypass option to check if external elements can be loaded via HTTPS
99.     'wordpress-https_disable_autohttps'    => 0, // Prevents WordPress 3.0+ from making all links HTTPS when viewing a secure page.
100.     'wordpress-https_exclusive_https'      => 0, // Exclusively force SSL on posts and pages with the `Force SSL` option checked.
101.     'wordpress-https_frontpage'            => 0, // Force SSL on front page
102.     'wordpress-https_sharedssl'            => 0, // Enable Shared SSL
103.     'wordpress-https_sharedssl_host'       => '' // Hostname for Shared SSL
104.    );
105.  
106.    // Start output buffering
107.    add_action('plugins_loaded', array(&$this, 'buffer_start'));
108.  
109.    // Check for admin/login redirects
110.    add_action('plugins_loaded', array(&$this, 'admin_redirect'));
111.  
112.    // Fix secure_auth_cookie
113.    add_filter('secure_auth_cookie', array(&$this, 'secure_auth_cookie'));
114.  
115.    // Fix secure_logged_in_cookie
116.    add_filter('secure_logged_in_cookie', array(&$this, 'secure_logged_in_cookie'));
117.  
118.    // Set Cookies for HTTP/HTTPS
119.    add_action('set_auth_cookie', array(&$this, 'set_cookie'), 10, 5);
120.    add_action('set_logged_in_cookie', array(&$this, 'set_cookie'), 10, 5);
121.  
122.    // Clear Cookies for HTTP/HTTPS
123.    add_action('clear_auth_cookie', array(&$this, 'clear_cookie'));
124.  
125.    if ( is_admin() ) {
126.     // Add admin menus
127.     add_action('admin_menu', array(&$this, 'menu'));
128.  
129.     // Load on plugins page
130.     if ( $GLOBALS['pagenow'] == 'plugins.php' ) {
131.      add_filter( 'plugin_row_meta', array( &$this, 'plugin_links' ), 10, 2);
132.     }
133.  
134.     // Load on Settings page
135.     if ( @$_GET['page'] == 'wordpress-https' ) {
136.      wp_enqueue_script('jquery-form', $this->plugin_url . '/js/jquery.form.js', array('jquery'), '2.47', true);
137.      wp_enqueue_script('wordpress-https', $this->plugin_url . '/js/admin.js', array('jquery'), $this->plugin_version, true);
138.      wp_enqueue_style('wordpress-https', $this->plugin_url . '/css/admin.css', $this->plugin_version, true);
139.  
140.      // Set default options
141.      foreach ( $this->options_default as $option => $value ) {
142.       if ( get_option($option) === false ) {
143.        add_option($option, $value);
144.       }
145.      }
146.     }
147.  
148.     // Add 'Force SSL' checkbox to add/edit post pages
149.     add_action('post_submitbox_misc_actions', array(&$this, 'post_checkbox'));
150.     add_action('save_post', array(&$this, 'post_save'));
151.    }
152.  
153.    // Check if the page needs to be redirected
154.    add_action('template_redirect', array(&$this, 'check_https'));
155.  
156.    // Filter HTTPS from links in WP 3.0+
157.    if ( ( get_option('wordpress-https_disable_autohttps') == 1 && !is_admin() && strpos('https://', get_option('home')) !== true ) ) {
158.     add_filter('page_link', array(&$this, 'replace_https'));
159.     add_filter('post_link', array(&$this, 'replace_https'));
160.     add_filter('category_link', array(&$this, 'replace_https'));
161.     add_filter('get_archives_link', array(&$this, 'replace_https'));
162.     add_filter('tag_link', array(&$this, 'replace_https'));
163.     add_filter('search_link', array(&$this, 'replace_https'));
164.     add_filter('home_url', array(&$this, 'replace_https'));
165.     add_filter('bloginfo', array(&$this, 'bloginfo'), 10, 2);
166.     add_filter('bloginfo_url', array(&$this, 'bloginfo'), 10, 2);
167.    // If the whole site is not HTTPS, set links to the front-end to HTTP
168.    } else if ( is_admin() && $this->is_ssl() && strpos('https://', get_option('home')) !== true ) {
169.     add_filter('page_link', array(&$this, 'replace_https'));
170.     add_filter('post_link', array(&$this, 'replace_https'));
171.     add_filter('category_link', array(&$this, 'replace_https'));
172.     add_filter('get_archives_link', array(&$this, 'replace_https'));
173.     add_filter('tag_link', array(&$this, 'replace_https'));
174.     add_filter('search_link', array(&$this, 'replace_https'));
175.    }
176.  
177.    // End output buffering
178.    //add_action('shutdown', array(&$this, 'buffer_end'));
179.   }
180.  
181.   /**
182.    * Process output buffer
183.    *
184.    * @param string
185.    * @return string
186.    */
187.   function process($buffer) {
188.    if ( $this->is_ssl() ) {
189.     preg_match_all('/\<(script|link|img|input|form|embed|param)[^>]+((http|https):\/\/[\/-\w\.#]+)[^>]+>/im', $buffer, $matches);
190.  
191.     for ($i = 0; $i<=sizeof($matches[0]); $i++) {
192.      $html   = $matches[0][$i];
193.      $type   = $matches[1][$i];
194.      $url    = $matches[2][$i];
195.      $scheme = $matches[3][$i];
196.  
197.      if ( ( $type == 'link' && ( strpos($html, 'stylesheet') !== false || strpos($html, 'pingback') !== false ) ) || ( $type == 'input' && strpos($html, 'image') !== false ) || ( $type == 'param' && strpos($html, 'movie') !== false ) || $type == 'img' || $type == 'script' || $type == 'embed' ) {
198.       if ( strpos($url,$this->http_url) !== false && get_option('wordpress-https_internalurls') == 1 ) {
199.        $buffer = str_replace($html, str_replace($this->http_url, $this->https_url, $html), $buffer);
200.       } else if ( $this->shared_ssl && get_option('wordpress-https_internalurls') == 1 && strpos($html,$this->http_url) !== false ) {
201.        $buffer = str_replace($html, str_replace($this->http_url, $this->https_url, $html), $buffer);
202.       } else if ( get_option('wordpress-https_externalurls') == 1 ) {
203.        if ( get_option('wordpress-https_bypass') == 1 ) {
204.         $buffer = str_replace($html, $this->replace_http($html), $buffer);
205.        } else if (@file_get_contents($this->replace_http($url))) {
206.         $buffer = str_replace($html, $this->replace_http($html), $buffer);
207.        }
208.       }
209.      }
210.     }
211.  
212.     // Look for any relative paths that should be udpated to the Shared SSL path
213.     if ( $this->shared_ssl == 1 ) {
214.      preg_match_all('/\<(script|link|img|input|form|embed|param|a)[^>]+[\'"](\/[\/-\w\.#?=&;]*)[^>]+>/im', $buffer, $matches);
215.  
216.      for ($i = 0; $i<=sizeof($matches[0]); $i++) {
217.       $html   = $matches[0][$i];
218.       $type   = $matches[1][$i];
219.       $url    = $matches[2][$i];
220.  
221.       $buffer = str_replace($html, str_replace($url, $this->https_url . $url, $html), $buffer);
222.      }
223.     }
224.    }
225.  
226.    // Update anchor tags to appropriate URL's
227.    preg_match_all('/\<a[^>]+[\'"]((http|https):\/\/[\/-\w\.#?=&;]+)[^>]+>/im', $buffer, $matches);
228.  
229.    for ($i = 0; $i<=sizeof($matches[0]); $i++) {
230.     $html     = $matches[0][$i];
231.     $url      = $matches[1][$i];
232.     $scheme   = $matches[2][$i];
233.  
234.     $url_path = parse_url($url, PHP_URL_PATH);
235.     if ($this->shared_ssl) {
236.      $url_path = str_replace(parse_url($this->https_url, PHP_URL_PATH), '', $url_path);
237.     } else {
238.      $url_path = str_replace(parse_url(get_option('home'), PHP_URL_PATH), '', $url_path);
239.     }
240.  
241.     if ($url_path == '/') {
242.      $post = get_option('page_on_front');
243.     } else {
244.      $post = get_page_by_path($url_path);
245.      $post = $post->ID;
246.     }
247.  
248.     if ($post) {
249.      $force_ssl = get_post_meta($post, 'force_ssl', true);
250.  
251.      if ($force_ssl) {
252.       $buffer = str_replace($html, str_replace($this->http_url, $this->https_url, $html), $buffer);
253.      } else if (get_option('wordpress-https_exclusive_https') == 1) {
254.       $buffer = str_replace($html, str_replace($this->https_url, $this->http_url, $html), $buffer);
255.      }
256.     }
257.    }
258.  
259.    // Fix any links that contain the HTTPS version of the regular domain when using Shared SSL
260.    if ( $this->shared_ssl && get_option('wordpress-https_internalurls') == 1 ) {
261.     $regex_url = preg_quote($this->replace_http($this->http_url));
262.     $regex_url = str_replace('/', '\/', $regex_url);
263.     preg_match_all('/\<a[^>]+(' . $regex_url . ')[^>]+>/im', $buffer, $matches);
264.  
265.     for ($i = 0; $i<=sizeof($matches[0]); $i++) {
266.      $html = $matches[0][$i];
267.      $url  = $matches[1][$i];
268.  
269.      $buffer = str_replace($html, str_replace($url, $this->https_url, $html), $buffer);
270.     }
271.    }
272.  
273.    return $buffer;
274.   }
275.  
276.   /**
277.    * Checks if the current page is SSL
278.    *
279.    * @param none
280.    * @return void
281.    */
282.   function is_ssl() {
283.    if ( $this->shared_ssl == 1 && strpos($this->https_url, $_SERVER['HTTP_X_FORWARDED_SERVER']) !== false ) {
284.     return true;
285.    }
286.    return is_ssl();
287.   }
288.  
289.   /**
290.    * Checks if the current page needs to be redirected
291.    *
292.    * @param none
293.    * @return void
294.    */
295.   function check_https() {
296.    global $post;
297.    if ( is_front_page() && get_option('show_on_front') == 'posts' ) {
298.     if ( get_option('wordpress-https_frontpage') == 1 && !$this->is_ssl() ) {
299.      $this->redirect(true);
300.     } else if ( get_option('wordpress-https_frontpage') != 1 && get_option('wordpress-https_exclusive_https') == 1 && $this->is_ssl() ) {
301.      $this->redirect(false);
302.     }
303.    } else if ( ( is_single() || is_page() || is_front_page() || is_home() ) && $post->ID > 0 ) {
304.     $forceSSL = get_post_meta($post->ID, 'force_ssl');
305.     if ( !$this->is_ssl() && $forceSSL ) {
306.      $this->redirect(true);
307.     } else if ( get_option('wordpress-https_exclusive_https') == 1 && !$forceSSL ) {
308.      $this->redirect(false);
309.     }
310.    }
311.   }
312.  
313.   /**
314.    * Used to redirect admin pages to Shared SSL host
315.    *
316.    * @param none
317.    * @return void
318.    */
319.   function admin_redirect() {
320.    // If we're using Shared SSL and the admin panel should be SSL, redirect
321.    if ( is_admin() && $this->shared_ssl && force_ssl_admin() && !$this->is_ssl() ) {
322.     $this->redirect(true);
323.    // If we're on the login page and it should be SSL, redirect
324.    } else if ( $GLOBALS['pagenow'] == 'wp-login.php' && ( force_ssl_admin() || force_ssl_login() ) && $this->shared_ssl && !$this->is_ssl() ) {
325.     $this->redirect(true);
326.    }
327.   }
328.  
329.   /**
330.    * Redirects page to HTTP or HTTPS accordingly
331.    *
332.    * @param boolean $ssl
333.    * @return void
334.    */
335.   function redirect($ssl = true) {
336.    if ( !$this->is_ssl() && $ssl == true ) {
337.     $url = parse_url($this->https_url);
338.     $url['scheme'] = 'https';
339.    } else if ( $this->is_ssl() && $ssl == false ) {
340.     $url = parse_url($this->http_url);
341.     $url['scheme'] = 'http';
342.    } else {
343.     $url = false;
344.    }
345.    if ($url) {
346.     $destination = $url['scheme'] . '://' . $url['host'] . (($this->shared_ssl) ? $url['path'] : '') . $_SERVER['REQUEST_URI'];
347.     wp_redirect($destination, 301);
348.     exit();
349.    }
350.   }
351.  
352.   /**
353.    * Add 'Force SSL' checkbox to add/edit post pages
354.    *
355.    * @param none
356.    * @return void
357.    */
358.   function post_checkbox() {
359.    global $post;
360.  
361.    wp_nonce_field(plugin_basename(__FILE__), 'wordpress-https');
362.  
363.    $checked = false;
364.    if ($post->ID) {
365.     $checked = get_post_meta($post->ID, 'force_ssl', true);
366.    }
367.    echo '<div class="misc-pub-section misc-pub-section-last" style="border-top: 1px solid #EEE;"><label>Force SSL: <input type="checkbox" value="1" name="force_ssl" id="force_ssl"'.(($checked) ? ' checked="checked"' : '').' /></label></div>';
368.   }
369.  
370.   /**
371.    * Save Force SSL option to post or page
372.    *
373.    * @param int $post_id
374.    * @return int $post_id
375.    */
376.   function post_save( $post_id ) {
377.    if ( array_key_exists('wordpress-https', $_POST) ) {
378.     if ( !wp_verify_nonce($_POST['wordpress-https'], plugin_basename(__FILE__))) {
379.       return $post_id;
380.     }
381.  
382.     if ( defined('DOING_AUTOSAVE') && DOING_AUTOSAVE ) {
383.      return $post_id;
384.     }
385.  
386.     if ( $_POST['post_type'] == 'page' ) {
387.      if ( !current_user_can('edit_page', $post_id) ) {
388.       return $post_id;
389.      }
390.     } else {
391.      if ( !current_user_can('edit_post', $post_id) ) {
392.       return $post_id;
393.      }
394.     }
395.  
396.     $forceSSL = (($_POST['force_ssl'] == 1) ? true : false);
397.     if ($forceSSL) {
398.      update_post_meta($post_id, 'force_ssl', 1);
399.     } else {
400.      delete_post_meta($post_id, 'force_ssl');
401.     }
402.  
403.     return $forceSSL;
404.    }
405.    return $post_id;
406.   }
407.  
408.   /**
409.    * Filters HTTPS urls from bloginfo function
410.    *
411.    * @param string $result
412.    * @param string $show
413.    * @return string
414.    */
415.   function bloginfo($result = '', $show = '') {
416.    if ($show == 'stylesheet_url' || $show == 'template_url' || $show == 'wpurl' || $show == 'home' || $show == 'siteurl' || $show == 'url') {
417.     $result = $this->replace_https($result);
418.    }
419.    return $result;
420.   }
421.  
422.   /**
423.    * Add admin panel menu option
424.    *
425.    * @param none
426.    * @return void
427.    */
428.   function menu() {
429.    add_options_page('WordPress HTTPS Settings', 'WordPress HTTPS', 'manage_options', 'wordpress-https', array(&$this, 'settings'));
430.   }
431.  
432.   /**
433.    * Add plugin links to Manage Plugins page in admin panel
434.    *
435.    * @param array $links
436.    * @param string $file
437.    * @return array
438.    */
439.   function plugin_links($links, $file) {
440.    if ( strpos($file, basename( __FILE__)) === false ) {
441.     return $links;
442.    }
443.  
444.    $links[] = '<a href="' . site_url() . '/wp-admin/options-general.php?page=wordpress-https" title="WordPress HTTPS Settings">Settings</a>';
445.    $links[] = '<a href="http://wordpress.org/extend/plugins/wordpress-https/faq/" title="Frequently Asked Questions">FAQ</a>';
446.    $links[] = '<a href="http://wordpress.org/tags/wordpress-https#postform" title="Support">Support</a>';
447.    $links[] = '<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6ZL95VTJ388HG" title="Support WordPress HTTPS development with a donation!">Donate</a>';
448.    return $links;
449.   }
450.  
451.   /**
452.    * Start output buffering
453.    *
454.    * @param none
455.    * @return void
456.    */
457.   function buffer_start() {
458.    if ( get_option('wordpress-https_externalurls') == 1 && get_option('wordpress-https_bypass') != 1 ) {
459.     @ini_set('allow_url_fopen', 1);
460.    }
461.    ob_start(array(&$this, 'process'));
462.   }
463.  
464.   /**
465.    * End output buffering
466.    *
467.    * @param none
468.    * @return void
469.    */
470.   function buffer_end() {
471.    ob_end_flush();
472.   }
473.  
474.   /**
475.    * Replace HTTPS with HTTP
476.    *
477.    * @param string
478.    * @return string
479.    */
480.   function replace_https($string) {
481.    return str_replace('https://', 'http://', $string);
482.   }
483.  
484.   /**
485.    * Replace HTTP with HTTPS
486.    *
487.    * @param string
488.    * @return string
489.    */
490.   function replace_http($string) {
491.    return str_replace('http://', 'https://', $string);
492.   }
493.  
494.   /**
495.    * Fix secure_auth_cookie
496.    */
497.   function secure_auth_cookie() {
498.    return is_ssl();
499.   }
500.  
501.   /**
502.    * Fix secure_logged_in_cookie
503.    */
504.   function secure_logged_in_cookie() {
505.    return is_ssl();
506.   }
507.  
508.   /**
509.    * Set HTTP/HTTPS cookies
510.    */
511.   function set_cookie($cookie, $expire, $expiration, $user_id, $scheme) {
512.    $secure = is_ssl();
513.    $secure = ( apply_filters('secure_auth_cookie', $secure, $user_id) ? false : true );
514.  
515.    $siteurl = get_site_option( 'siteurl' );
516.    if( $secure )
517.     $the_siteurl = str_replace('http://', 'https://', $siteurl);
518.    else
519.     $the_siteurl = str_replace('https://', 'http://', $siteurl);
520.    $cookiehash = md5( $the_siteurl );
521.  
522.    if($cookiehash == COOKIEHASH)
523.     return;
524.  
525.    if( $scheme == 'logged_in' ) {
526.     $cookie_name = str_replace(COOKIEHASH, $cookiehash, LOGGED_IN_COOKIE);
527.    } elseif ( $secure ) {
528.     $cookie_name = str_replace(COOKIEHASH, $cookiehash, SECURE_AUTH_COOKIE);
529.     $scheme = 'secure_auth';
530.    } else {
531.     $cookie_name = str_replace(COOKIEHASH, $cookiehash, AUTH_COOKIE);
532.     $scheme = 'auth';
533.    }
534.    if ( version_compare(phpversion(), '5.2.0', 'ge') ) {
535.     if ( $scheme == 'logged_in' ) {
536.      setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure, true);
537.      if ( COOKIEPATH != SITECOOKIEPATH )
538.       setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure, true);
539.     } else {
540.      setcookie($cookie_name, $cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
541.      setcookie($cookie_name, $cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
542.     }
543.    } else {
544.     $cookie_domain = COOKIE_DOMAIN;
545.     if ( !empty($cookie_domain) )
546.      $cookie_domain .= '; HttpOnly';
547.     if ( $scheme == 'logged_in' ) {
548.      setcookie($cookie_name, $cookie, $expire, COOKIEPATH, $cookie_domain, $secure);
549.      if ( COOKIEPATH != SITECOOKIEPATH )
550.       setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, $cookie_domain, $secure);
551.     } else {
552.      setcookie($cookie_name, $cookie, $expire, PLUGINS_COOKIE_PATH, $cookie_domain, $secure);
553.      setcookie($cookie_name, $cookie, $expire, ADMIN_COOKIE_PATH, $cookie_domain, $secure);
554.     }
555.    }
556.   }
557.  
558.   /**
559.    * Clear HTTP/HTTPS cookies
560.    */
561.   function clear_cookie() {
562.    global $user_ID;
563.    get_currentuserinfo();
564.    $secure = is_ssl();
565.    $secure = apply_filters('secure_auth_cookie', $secure, $user_ID);
566.    $secure = ( $secure ? false : true );
567.  
568.    $siteurl = get_site_option( 'siteurl' );
569.    if( $secure )
570.     $the_siteurl = str_replace('http://', 'https://', $siteurl);
571.    else
572.     $the_siteurl = str_replace('https://', 'http://', $siteurl);
573.    $cookiehash = md5( $the_siteurl );
574.  
575.    if($cookiehash == COOKIEHASH)
576.     return;
577.  
578.    setcookie(str_replace(COOKIEHASH, $cookiehash, AUTH_COOKIE), ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure);
579.    setcookie(str_replace(COOKIEHASH, $cookiehash, SECURE_AUTH_COOKIE), ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure);
580.    setcookie(str_replace(COOKIEHASH, $cookiehash, AUTH_COOKIE), ' ', time() - 31536000, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure);
581.    setcookie(str_replace(COOKIEHASH, $cookiehash, SECURE_AUTH_COOKIE), ' ', time() - 31536000, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure);
582.    setcookie(str_replace(COOKIEHASH, $cookiehash, LOGGED_IN_COOKIE), ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, $secure);
583.    setcookie(str_replace(COOKIEHASH, $cookiehash, LOGGED_IN_COOKIE), ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
584.  
585.    // Old cookies
586.    setcookie(str_replace(COOKIEHASH, $cookiehash, AUTH_COOKIE), ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, $secure);
587.    setcookie(str_replace(COOKIEHASH, $cookiehash, AUTH_COOKIE), ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
588.    setcookie(str_replace(COOKIEHASH, $cookiehash, SECURE_AUTH_COOKIE), ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, $secure);
589.    setcookie(str_replace(COOKIEHASH, $cookiehash, SECURE_AUTH_COOKIE), ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
590.   }
591.  
592.   /**
593.    * Settings page in admin panel
594.    *
595.    * @param none
596.    * @return void
597.    */
598.   function settings() {
599.    if ( !current_user_can('manage_options') ) {
600.     wp_die( __('You do not have sufficient permissions to access this page.') );
601.    }
602.  
603.    if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
604.     $errors = array();
605.  
606.     foreach ($this->options_default as $key => $default) {
607.      if (!array_key_exists($key, $_POST) && $default == 0) {
608.       $_POST[$key] = 0;
609.       update_option($key, $_POST[$key]);
610.      } else {
611.       if ( $key == 'wordpress-https_sharedssl' && $_POST['wordpress-https_sharedssl_host'] == '' ) {
612.        $errors[] = '<strong>Shared SSL Host</strong> - Invalid host.';
613.        $_POST[$key] = 0;
614.        update_option($key, $_POST[$key]);
615.       } else if ( $key == 'wordpress-https_sharedssl_host' && $_POST[$key] != '' ) {
616.        $url = parse_url($_POST[$key]);
617.        if ( sizeof($url) > 0 ) {
618.         $_POST[$key] = 'https://' . $url['host'] . $url['path'];
619.         if ( substr($_POST[$key], -1, 1) == '/' ) {
620.          $_POST[$key] = substr($_POST[$key], 0, strlen($_POST[$key])-1);
621.         }
622.         update_option($key, $_POST[$key]);
623.        } else {
624.         $errors[] = '<strong>Shared SSL Host</strong> - Invalid host.';
625.         update_option($key, '');
626.        }
627.       } else if ( $key == 'wordpress-https_externalurls' && @ini_get('allow_url_fopen') != 1 ) {
628.        $errors[] = '<strong>External HTTPS Elements</strong> - PHP configuration error: allow_url_fopen must be enabled.';
629.        $_POST[$key] = 0;
630.        update_option($key, $_POST[$key]);
631.       } else if ($key == 'wordpress-https_disable_autohttps' && version_compare(get_bloginfo('version'),'3.0','<')) {
632.        $_POST[$key] = 0;
633.        update_option($key, $_POST[$key]);
634.       } else {
635.        update_option($key, $_POST[$key]);
636.       }
637.      }
638.     }
639.  
640.     if ( @$_POST['ajax'] == 1 ) {
641.      ob_clean();
642.      if ( sizeof( $errors ) > 0 ) {
643.       echo "  <ul id=\"message\">\n";
644.       foreach ( $errors as $error ) {
645.        echo "   <li class=\"error\"><p>".$error."</p></li>\n";
646.       }
647.       echo "  </ul>\n";
648.      } else {
649.       echo "   <div class=\"updated below-h2 fade\" id=\"message\"><p>Settings saved.</p></div>\n";
650.      }
651.      exit();
652.     }
653.    }
654. ?>
655.  <div class="wrap">
656.   <div id="icon-options-general" class="icon32"><br /></div>
657.   <h2>WordPress HTTPS Settings</h2>
658.  
659. <?php
660.    if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
661.     if ( sizeof( $errors ) > 0 ) {
662.      echo "  <ul id=\"message\">\n";
663.      foreach ( $errors as $error ) {
664.       echo "   <li class=\"error\"><p>".$error."</p></li>\n";
665.      }
666.      echo "  </ul>\n";
667.     } else {
668.      echo "   <div class=\"updated below-h2 fade\" id=\"message\"><p>Settings saved.</p></div>\n";
669.     }
670.    } else {
671.     echo "  <div id=\"message-wrap\"><div id=\"message-body\"></div></div>\n";
672.    }
673. ?>
674.  
675.   <div id="wphttps-sidebar">
676.  
677.    <div class="wphttps-widget" id="wphttps-support">
678.     <h3 class="wphttps-widget-title">Support</h3>
679.     <div class="wphttps-widget-content">
680.      <p>Have you tried everything and your website is still giving you partially encrypted errors?</p>
681.      <p>If you haven't already, check out the <a href="http://wordpress.org/extend/plugins/wordpress-https/faq/" target="_blank">Frequently Asked Questions</a>.</p>
682.      <p>Still not fixed? Having other problems? Please <a href="http://wordpress.org/tags/wordpress-https#postform" target="_blank">start a support topic</a> and I'll do my best to assist you.</p>
683.     </div>
684.    </div>
685.  
686.    <div class="wphttps-widget" id="wphttps-donate">
687.     <h3 class="wphttps-widget-title">Donate</h3>
688.     <div class="wphttps-widget-content">
689.      <p>If you found this plugin useful, or I've already helped you with your website, please considering buying me a <a href="http://en.wikipedia.org/wiki/Newcastle_Brown_Ale" target="_blank">beer</a> or two.</p>
690.      <p>Donations help alleviate the time spent developing and supporting this plugin and are greatly appreciated.</p>
691.  
692.      <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
693.       <input type="hidden" name="cmd" value="_s-xclick">
694.       <input type="hidden" name="hosted_button_id" value="N9NFVADLVUR7A">
695.       <input type="image" src="https://www.paypal.com/en_US/i/btn/btn_donate_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
696.       <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
697.      </form>
698.  
699.     </div>
700.    </div>
701.  
702.   </div>
703.  
704.   <form name="form" id="wordpress-https" action="options-general.php?page=wordpress-https" method="post">
705.    <?php settings_fields('wordpress-https'); ?>
706.  
707.    <fieldset>
708.     <label for="wordpress-https_internalurls"><input name="wordpress-https_internalurls" type="checkbox" id="wordpress-https_internalurls" value="1"<?php echo ((get_option('wordpress-https_internalurls')) ? ' checked="checked"' : ''); ?> /> <strong>Internal HTTPS Elements</strong></label>
709.     <p>Force internal elements to HTTPS when viewing a secure page.</p>
710.     <p class="description">Fixes most partially encrypted errors.</p>
711.    </fieldset>
712.  
713.    <fieldset>
714.     <label for="wordpress-https_externalurls"><input name="wordpress-https_externalurls" type="checkbox" id="wordpress-https_externalurls" value="1"<?php echo ((get_option('wordpress-https_externalurls')) ? ' checked="checked"' : ''); ?> /> <strong>External HTTPS Elements</strong></label>
715.     <p>Attempt to automatically force external elements to HTTPS when viewing a secure page. External elements are any element not hosted on your domain.</p>
716.     <p class="description">Warning: This option checks that the external element can be loaded via HTTPS while the page is loading. Depending on the amount of external elements, this could affect the load times of your pages.</p>
717.    </fieldset>
718.  
719.    <fieldset>
720.     <label for="wordpress-https_bypass"><input name="wordpress-https_bypass" type="checkbox" id="wordpress-https_bypass" value="1"<?php echo ((get_option('wordpress-https_bypass')) ? ' checked="checked"' : ''); ?> /> <strong>Bypass External Check</strong></label>
721.     <p>Disable the option to check if an external element can be loaded over HTTPS.</p>
722.     <p class="description">Warning: Bypassing the HTTPS check for external elements may cause elements to not load at all. Only enable this option if you know that all external elements can be loaded over HTTPS.</p>
723.    </fieldset>
724.  
725. <?php if (version_compare(get_bloginfo('version'),'3.0','>=')) { ?>
726.    <fieldset>
727.     <label for="wordpress-https_disable_autohttps"><input name="wordpress-https_disable_autohttps" type="checkbox" id="wordpress-https_disable_autohttps" value="1"<?php echo ((get_option('wordpress-https_disable_autohttps')) ? ' checked="checked"' : ''); ?> /> <strong>Disable Automatic HTTPS</strong></label>
728.     <p>Prevents WordPress 3.0+ from making all links HTTPS when viewing a secure page.</p>
729.     <p class="description">When a page is viewed via HTTPS in WordPress 3.0+, all internal page, category and post links are forced to HTTPS. This option will disable that.</p>
730.    </fieldset>
731.  
732. <?php } ?>
733.    <fieldset>
734.     <label for="wordpress-https_exclusive_https"><input name="wordpress-https_exclusive_https" type="checkbox" id="wordpress-https_exclusive_https" value="1"<?php echo ((get_option('wordpress-https_exclusive_https')) ? ' checked="checked"' : ''); ?> /> <strong>Force SSL Exclusively</strong></label>
735.     <p>Exclusively force SSL on posts and pages with the `Force SSL` option checked. All others are redirected to HTTP.</p>
736.     <p class="description">WordPress HTTPS adds a 'Force SSL' checkbox to each post and page right above the publish button (<a href="<?php echo $this->plugin_url; ?>/screenshot-2.png" target="_blank">screenshot</a>). When selected, the post or page will be forced to HTTPS. With this option enabled, all posts and pages without 'Force SSL' checked will be redirected to HTTP.</p>
737.    </fieldset>
738.  
739.    <fieldset>
740.     <label for="wordpress-https_sharedssl"><input name="wordpress-https_sharedssl" type="checkbox" id="wordpress-https_sharedssl" value="1"<?php echo ((get_option('wordpress-https_sharedssl')) ? ' checked="checked"' : ''); ?> /> <strong>Shared SSL</strong></label>
741.     <p>Enable this option if you are using a Shared SSL certificate and your Shared SSL Host is something other than '<?php echo $this->replace_http($this->http_url); ?>/'.</p>
742.     <label><strong>Shared SSL Host</strong> <input name="wordpress-https_sharedssl_host" type="text" id="wordpress-https_sharedssl_host" value="<?php echo get_option('wordpress-https_sharedssl_host'); ?>" /></label>
743.    </fieldset>
744.  
745. <?php if (get_option('show_on_front') == 'posts') { ?>
746.    <fieldset>
747.     <label for="wordpress-https_frontpage"><input name="wordpress-https_frontpage" type="checkbox" id="wordpress-https_frontpage" value="1"<?php echo ((get_option('wordpress-https_frontpage')) ? ' checked="checked"' : ''); ?> /> <strong>HTTPS Front Page</strong></label>
748.     <p>It appears you are using your latest posts for your home page. If you would like that page to have SSL enforced, enable this option.</p>
749.    </fieldset>
750.  
751. <?php } ?>
752.    <p class="button-controls">
753.     <input type="submit" name="Submit" value="Save Changes" class="button-primary" />
754.     <img alt="Waiting..." src="<?php echo $this->plugin_url; ?>/css/images/wpspin_light.gif" class="waiting" id="submit-waiting" />
755.    </p>
756.   </form>
757.  
758.   <br style="clear: both" />
759.  
760.  </div>
761. <?php
762.   }
763.  } // End WordPressHTTPS Class
764. }
765.  
766. if ( class_exists('WordPressHTTPS') ) {
767.  $wordpress_https = new WordPressHTTPS();
768. }
769. ?>