Use Case:
User clicks on the logout link from our authenticated site, I have set up a trigger to redirect the user to our "anonymous" site. (auth.mysite.com -> mysite.com). To achieve this I created a redirect action and attached it to the "After User Logs Out" trigger.

Expected behaviour:
User clicks on logout link
User is logged out and is redirected to anonymous site.

Actual Behaviour:
User clicks on logout link
User is redirected to anonymous site.
** USER IS NOT LOGGED OUT of original site. ***

Returning to the original site, confirms that the user is still logged in on that site.

What I Have:
LAMP using Drupal 7. Both sites share the same database. Caching Off.

Comments

indigoblue’s picture

indigoblue CreditAttribution: indigoblue commented
Title: User log Out with external redirect does not log out - Security Risk » Trigger On User log Out with url redirect does not log out

Update:

I have also noted this exact behaviour using a logout link like

user/logout?destination=external_url

Has anyone else seen this behaviour? I believe that this presents a security risk - because if a user logs out on a public computer using this method - they unknowingly leave their account entirely open.

From the investigations I have done - it appears that the logged in session survives the logout or somehow gets resurrected before the user is redirected.

indigoblue’s picture

indigoblue CreditAttribution: indigoblue commented
Title: Trigger On User log Out with url redirect does not log out » User log Out with external redirect does not log out - Security Risk
Component: trigger.module » user.module
Issue tags: +Security

Changed description to more accurately describe issue

indigoblue’s picture

indigoblue CreditAttribution: indigoblue commented
Title: Trigger On User log Out with url redirect does not log out » User log Out with external redirect does not log out - Security Risk

No one want to touch this one - so I'll have a conversation with myself in the hope that it might help anyone else who experiences this issue - this is what I believe the situation is.

on logout - currently - using an external url redirect cannot work - I am surmising that this is because the system redirects BEFORE the session cookie can be modified. ie the cookie changes never land on the local domain. Using a local url does work but of course is not the behaviour I wanted.

One solution that should work is to redirect to a local page, where you have inserted a bit of javascript redirect code on the onload event. This should allow the session cookie to be properly modified/deleted before redirecting to the external site.

I'm not sure if this is a bug or a documentation issue - I looked for a definitive statement on the redirect behaviour but it is either not there or I missed it - either way I'll leave it to someone who knows definitively to mark this issue appropriately.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

I got the same result on a fresh D7 install. I tried this with the trigger module set to redirect after logout, as well as with a manually set logout link in the main menu.

indigoblue’s picture

indigoblue CreditAttribution: indigoblue commented
Category: support » bug

The ONLY way I have found that works is to use the method I speculated about in #3.

Create a blank page ( or in a module ) and add a javascript method that redirects to your desired page in the document onLoad event. I did it in a module ...

function MY_MODULE_menu(){ 

    $items['log/out'] = array(
        'page callback' => 'MY_MENU_FUNTION_user_logout',
        'access callback' => true, , 
        'access arguments' => true,
        'type' => MENU_CALLBACK,
       );                              
      
      return $items; 
}

function MY_MENU_FUNTION_user_logout(){
    $build=array();    
    drupal_add_js('jQuery(document).ready(function () { window.location = "http://example.co.uk";})', 'inline'); 
    $build['#markup']="LOGGED OUT";
    return $build;
}

The only downside is that there is a brief "Flicker" on th blank page before it redirects.

It works very reliably. The User IS logged out and IS redirected to the external site. I'm sure there is a - smoother way of doing this - but its a start!

Hope this helps.

tstoeckler’s picture

tstoeckler
he/him
Primary language German
Location Essen, Germany
CreditAttribution: tstoeckler commented
Category: bug » support

External redirects are not possible with drupal_goto(), because they can be a security vulnerability.
You should be able to achieve what you want, with a module that implements hook_drupal_goto_alter. Hope that helps!

nevergone’s picture

nevergone CreditAttribution: nevergone commented
Category: bug » support

External redirects are not possible with drupal_goto(), because they can be a security vulnerability.

drupal_goto():

Parameters
$path A Drupal path or a full URL.

tstoeckler’s picture

tstoeckler
he/him
Primary language German
Location Essen, Germany
CreditAttribution: tstoeckler commented

Ahh, sorry for being unclear (or better: wrong) in my comment above.
Here is the code comment from drupal_goto():
// We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.

So the problem is with passing the URL via ?destination.

The parent issue that tries to deal with the 'redirect' action being broken in this way is #732542: system_goto_action breaks core APIs. I'm not up-to-date on the current status of that issue, though.

What you could do in a custom module is:


function logout_external_menu() {
  $items['user/logout_external'] = array(
    'page callback' => 'logout_external_logout',
    ...
  );
}

function logout_external_logout() {
  // @see user_logout();
  // @todo Turn user_logout() into a proper API function.
  global $user;
  watchdog('user', 'Session closed for %name.', array('%name' => $user->name));
  module_invoke_all('user_logout', $user);
  session_destroy();

  $external_url = variable_get('logout_external_url', NULL);
  drupal_goto($external_url);
}

(Untested.)

druser01’s picture

druser01 CreditAttribution: druser01 commented

I tested this code and it worked like a charm for me..
Thanks a lot!!!

Jooblay.net’s picture

Jooblay.net CreditAttribution: Jooblay.net commented
Issue summary: View changes

Can we close this ticket:)

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.