TYPO3 Core

Although the login process in ext:felogin works correct from a technical perspective, it does not work as intended.

The logout form is rendered with <f:form action="login" actionUri="{actionUri}" target="_top" fieldNamePrefix="">, where the value of actionUri is the possible redirect URL after the user has been logged out. The actionUri parameter however overwrites the forms action, so when the user logs out by submitting the logout form, a POST request is processed to the redirect URL. Since the POST request includes logintype=logout in the request body, TYPO3 authentication services terminates the users sessions and the logout is finished. So basically, ext:felogin does not handle the logout process (as I would expect), but TYPO3 authentication services do.

However, ext:felogin has code to handle the logout process internally. In initializeAction we have code to check, if a login or logout process is in process. Or in loginAction we have $this->isLogoutSuccessful(), which checks if the logout was successful by ensuring no user session exist and logintype=logout is part of GET/POST data. The code for the logout process can currently only be triggered manually (e.g call link https://domain.tld/login?logintype=logout).

In order to work as intended, the action of the logout form must always be the loginAction of ext:felogin and the actionUri parameter must be removed. In addition, the logout form should contain a new hidden input field <f:form.hidden name="redirect_url" value="{redirectURL}" />, where {redirectURL} is the evaluated/configured redirect URL from ext:felogin plugin. Having this in place, ext:felogin will correctly handle the redirect after logout, and it is possible to use the LogoutConfirmedEvent or the use the BeforeRedirectEvent before the logout redirect is processed.

In addition, the current evaluation of the actionUri has issues. If redirect is disabled either by plugin or URL parameter redirect=0, then the logoutAction evaluates GET/POST data (function getRedirectUrlRequestParam) for a possible redirect URL and then also uses this on logout (although redirect is disabled)