Project

General

Profile

Bug #103910

Updated by Torben Hansen about 1 month ago

Although the login process in ext:felogin works correct from a technical perspective, it does not work as intended.  

 The logout form is rendered with @<f:form action="login" actionUri="{actionUri}" target="_top" fieldNamePrefix="">@, where the value of @actionUri@ is the possible redirect URL after the user has been logged out. The @actionUri@ parameter however overwrites the forms action, so when the user logs out by submitting the logout form, a POST request is processed to the redirect URL. Since the POST request includes @logintype=logout@ in the request body, TYPO3 authentication services terminates the users sessions and the logout is finished. So basically, ext:felogin does not handle the logout process (as I would expect), but TYPO3 authentication services do. 

 However, ext:felogin has code to handle the logout process internally. In @initializeAction@ we have code to check, if a login or logout process is in process. Or in @loginAction@ we have @$this->isLogoutSuccessful()@, which checks if the logout was successful by ensuring no user session exist and @logintype=logout@ is part of GET/POST data. The code for the logout process can currently only be triggered manually (e.g call link https://domain.tld/login?logintype=logout). 

 In order to work as intended, the @action@ of the logout form must always be the @loginAction@ of ext:felogin and the @actionUri@ parameter must be removed. -In In addition, the logout form should contain a new hidden input field @<f:form.hidden name="redirect_url" value="{redirectURL}" />@, where @{redirectURL}@ is the evaluated/configured redirect URL from ext:felogin plugin.- plugin. Having this in place, ext:felogin will correctly handle the redirect after logout, and it is possible to use the @LogoutConfirmedEvent@ or the use the @BeforeRedirectEvent@ before the logout redirect is processed.  

Back