Project

General

Profile

Actions

Bug #103910

open

ext:felogin logout process not working as intended

Added by Torben Hansen 6 months ago. Updated about 1 month ago.

Status:
New
Priority:
Should have
Assignee:
Category:
felogin
Start date:
2024-05-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
Tags:
breaking
Complexity:
Is Regression:
Sprint Focus:

Description

Although the login process in ext:felogin works correct from a technical perspective, it does not work as intended.

The logout form is rendered with <f:form action="login" actionUri="{actionUri}" target="_top" fieldNamePrefix="">, where the value of actionUri is the possible redirect URL after the user has been logged out. The actionUri parameter however overwrites the forms action, so when the user logs out by submitting the logout form, a POST request is processed to the redirect URL. Since the POST request includes logintype=logout in the request body, TYPO3 authentication services terminates the users sessions and the logout is finished. So basically, ext:felogin does not handle the logout process (as I would expect), but TYPO3 authentication services do.

However, ext:felogin has code to handle the logout process internally. In initializeAction we have code to check, if a login or logout process is in process. Or in loginAction we have $this->isLogoutSuccessful(), which checks if the logout was successful by ensuring no user session exist and logintype=logout is part of GET/POST data. The code for the logout process can currently only be triggered manually (e.g call link https://domain.tld/login?logintype=logout).

In order to work as intended, the action of the logout form must always be the loginAction of ext:felogin and the actionUri parameter must be removed. In addition, the logout form should contain a new hidden input field <f:form.hidden name="redirect_url" value="{redirectURL}" />, where {redirectURL} is the evaluated/configured redirect URL from ext:felogin plugin. Having this in place, ext:felogin will correctly handle the redirect after logout, and it is possible to use the LogoutConfirmedEvent or the use the BeforeRedirectEvent before the logout redirect is processed.

In addition, the current evaluation of the actionUri has issues. If redirect is disabled either by plugin or URL parameter redirect=0, then the logoutAction evaluates GET/POST data (function getRedirectUrlRequestParam) for a possible redirect URL and then also uses this on logout (although redirect is disabled)

Actions #1

Updated by Torben Hansen 6 months ago

  • Subject changed from Logout process not working as intended to ext:login logout process not working as intended
Actions #2

Updated by Torben Hansen 6 months ago

  • Description updated (diff)
Actions #3

Updated by Torben Hansen 6 months ago

  • Description updated (diff)
Actions #4

Updated by Torben Hansen 6 months ago

  • Subject changed from ext:login logout process not working as intended to ext:felogin logout process not working as intended
Actions #5

Updated by Torben Hansen about 1 month ago

  • Description updated (diff)
  • Target version set to Candidate for Major Version
Actions #6

Updated by Garvin Hicking about 1 month ago

  • Tags set to breaking
Actions

Also available in: Atom PDF