Use Case:
User clicks on the logout link from our authenticated site, I have set up a trigger to redirect the user to our "anonymous" site. (auth.mysite.com -> mysite.com). To achieve this I created a redirect action and attached it to the "After User Logs Out" trigger.
Expected behaviour:
User clicks on logout link
User is logged out and is redirected to anonymous site.
Actual Behaviour:
User clicks on logout link
User is redirected to anonymous site.
** USER IS NOT LOGGED OUT of original site. ***
Returning to the original site, confirms that the user is still logged in on that site.
What I Have:
LAMP using Drupal 7. Both sites share the same database. Caching Off.
Comments
Comment #1
indigoblue CreditAttribution: indigoblue commentedUpdate:
I have also noted this exact behaviour using a logout link like
Has anyone else seen this behaviour? I believe that this presents a security risk - because if a user logs out on a public computer using this method - they unknowingly leave their account entirely open.
From the investigations I have done - it appears that the logged in session survives the logout or somehow gets resurrected before the user is redirected.
Comment #2
indigoblue CreditAttribution: indigoblue commentedChanged description to more accurately describe issue
Comment #3
indigoblue CreditAttribution: indigoblue commentedNo one want to touch this one - so I'll have a conversation with myself in the hope that it might help anyone else who experiences this issue - this is what I believe the situation is.
on logout - currently - using an external url redirect cannot work - I am surmising that this is because the system redirects BEFORE the session cookie can be modified. ie the cookie changes never land on the local domain. Using a local url does work but of course is not the behaviour I wanted.
One solution that should work is to redirect to a local page, where you have inserted a bit of javascript redirect code on the onload event. This should allow the session cookie to be properly modified/deleted before redirecting to the external site.
I'm not sure if this is a bug or a documentation issue - I looked for a definitive statement on the redirect behaviour but it is either not there or I missed it - either way I'll leave it to someone who knows definitively to mark this issue appropriately.
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedI got the same result on a fresh D7 install. I tried this with the trigger module set to redirect after logout, as well as with a manually set logout link in the main menu.
Comment #5
indigoblue CreditAttribution: indigoblue commentedThe ONLY way I have found that works is to use the method I speculated about in #3.
Create a blank page ( or in a module ) and add a javascript method that redirects to your desired page in the document onLoad event. I did it in a module ...
The only downside is that there is a brief "Flicker" on th blank page before it redirects.
It works very reliably. The User IS logged out and IS redirected to the external site. I'm sure there is a - smoother way of doing this - but its a start!
Hope this helps.
Comment #6
tstoecklerExternal redirects are not possible with drupal_goto(), because they can be a security vulnerability.
You should be able to achieve what you want, with a module that implements hook_drupal_goto_alter. Hope that helps!
Comment #7
nevergone CreditAttribution: nevergone commenteddrupal_goto():
Comment #8
tstoecklerAhh, sorry for being unclear (or better: wrong) in my comment above.
Here is the code comment from drupal_goto():
// We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
So the problem is with passing the URL via ?destination.
The parent issue that tries to deal with the 'redirect' action being broken in this way is #732542: system_goto_action breaks core APIs. I'm not up-to-date on the current status of that issue, though.
What you could do in a custom module is:
(Untested.)
Comment #9
druser01 CreditAttribution: druser01 commentedI tested this code and it worked like a charm for me..
Thanks a lot!!!
Comment #10
Jooblay.net CreditAttribution: Jooblay.net commentedCan we close this ticket:)
Comment #11
dcam CreditAttribution: dcam commented