Problem/Motivation
The logout link can only be requested between the time a page was requested and when a session expires. If a user agent has a stale page, such as due to caching or a long lived page, then attempts to logout after the session expires, he will receive a 403 access denied.
Proposed resolution
if an anonymous session attempts to access user/logout, the site will redirect to the front page without fuss.
Behaviour changes
User redirected to <front>
route instead of 403
Original report by jim_at_miramontes
I don't think this is a duplicate of any previous issues; I'm encountering this situation with a D7 site: a user:
- leaves a browser window open on the site,
- gets timed out on the back end for having been inactive too long,
- returns to the browser after that long delay, and
- without refreshing the page, tries to log out via a link on that page to
user/logout
.
The access callback for user/logout
is user_is_logged_in()
, which fails in this situation since the user is logged out. As a result, the user gets the results of a 403 error rather than being thrown back to the home page via the drupal_goto()
in user_logout()
.
This is admittedly a minor point, but it wouldn't be hard to address:
Give user_logout()
an open access callback so it can run even when the user is logged out, and
Modify user_logout()
do only do its work if there is a logged-in $user
(and maybe raise an error message via drupal_set_message
if the user was already logged out).
(See https://drupal.org/node/2192401 for a bit more discussion of this, btw.)