Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295111

Anonymous users receive access denied when attempting to logout

$
0
0

Problem/Motivation

The logout link can only be requested between the time a page was requested and when a session expires. If a user agent has a stale page, such as due to caching or a long lived page, then attempts to logout after the session expires, he will receive a 403 access denied.

Proposed resolution

if an anonymous session attempts to access user/logout, the site will redirect to the front page without fuss.

Behaviour changes

User redirected to <front> route instead of 403

Original report by jim_at_miramontes

I don't think this is a duplicate of any previous issues; I'm encountering this situation with a D7 site: a user:

  1. leaves a browser window open on the site,
  2. gets timed out on the back end for having been inactive too long,
  3. returns to the browser after that long delay, and
  4. without refreshing the page, tries to log out via a link on that page to user/logout.

The access callback for user/logout is user_is_logged_in(), which fails in this situation since the user is logged out. As a result, the user gets the results of a 403 error rather than being thrown back to the home page via the drupal_goto() in user_logout().

This is admittedly a minor point, but it wouldn't be hard to address:
Give user_logout() an open access callback so it can run even when the user is logged out, and
Modify user_logout() do only do its work if there is a logged-in $user (and maybe raise an error message via drupal_set_message if the user was already logged out).

(See https://drupal.org/node/2192401 for a bit more discussion of this, btw.)


Viewing all articles
Browse latest Browse all 295111

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>