Forgive me if this is just a lack of understanding, I usually make this change when I install new versions and I can't see much online to give me the reasoning for why it works that way it does.
The "check HTTPS connection" in libraries/common.inc.php uses is_https to check whether a redirect should be made if ForceSSL is turned on. From is_https: "This function checks if the https protocol is used in the PmaAbsoluteUri" which as I understand it is the configuration value which is will always contain https:// if set that way.
Should it not instead use detectHttps to check if the active connection is secure to know whether a redirect is required?
Thanks.
I digged around this issue and my interpretation is the following:
Case 1: PmaAbsoluteUri setting is null by default, ForceSSL is true
Works like: If the requested URL is not https, then redirect to https (PmaAbsoluteUri is autopopulated)
Case 2: PmaAbsoluteUri setting is set to http, ForceSSL is true
Works like: Always redirect
Case 3: PmaAbsoluteUri setting is set to https, ForceSSL is true
Works like: Never redirect
Case 3 might be problematic because for example, you can access the login page through http and not get redirected even though ForceSSL is true. Waiting for opinion.
Fixed with https://github.com/madhuracj/phpmyadmin/commit/47b734473e964546c5ac6f5324324f8ebf7fc3d4