403 (not authorized) on login form submit when using https
-
I have recently set up SSL on my site. Accessing the page via https works just fine. However logging in to the Dashboard only works via http. If logging in via https I get a 403 (not authorized).
If I just open the ‘wp-admin’ URL while not yet authenticated and then tweak the redirect parameter in the login page’s URL, I can access the dashboard even if the login page has been accessed via https.
Once I’m in the dashboard I can now change the URL back to https, and everything works fine.
Hence it seems like there is a problem when changing from the login page to the wp-admin base page, but only when the latter is opened via https.
Here’s a bit information on my setup:
I am using WP 5.8.1 (but the problem has been the same with the previous version).
The site runs on a managed server, i.e. I do not have access to the Apache webserver configuration.
In my wp-config.php file I have added this setting:
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { $_SERVER['HTTPS']='on'; }My .htaccess looks like this (at the top I have commented out the automatic redirect for obvious reasons):
# RewriteEngine On # RewriteCond %{HTTP:X-Forwarded-Proto} !https # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] # Header always set Content-Security-Policy "upgrade-insecure-requests;" # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPressIn the wp_options DB table I have set siteurl and home to the http URLs, because otherwise I would not have access to my dashboard then.
Several things I have tried with no success:
1. rename theme and plugins folder.
2. go over the file permissions, they all seem OK to me.
3. go through my wp-config.php file again and again.I have also tried to obtain more information by activating WP_DEBUG, display_errors, setting error_reporting to “E_ALL | E_STRICT”. The error_log file exists and is written from time to time, but nothing of interest in there.
Anything else I can try? It looks like in the past some others have had similar problems but I never found a solution working for me in those threads…
-
@wpcoworker thank you for your reply. I quickly tried this, but the effect is the same as before (only that, of course, I can no longer enforce an unencrypted http connection when accessing the Dashboard). Changing the
siteurlandhomeURLs back to http now allows me to access the Dashboard without encryption again (as before).As you have mentioned a possible http URL I have now tried to login having the Firefox development tools open looking at the network tab. I see this here:
302 POST 🔒 <my-site-url> wp-login.php 403 GET 🔒 <my-site-url> /wp-admin/So no redirect to any http URL.
The topic ‘403 (not authorized) on login form submit when using https’ is closed to new replies.