Bug #103910
Updated by Torben Hansen about 1 month ago
Although the login process in ext:felogin works correct from a technical perspective, it does not work as intended. The logout form is rendered with @<f:form action="login" actionUri="{actionUri}" target="_top" fieldNamePrefix="">@, where the value of @actionUri@ is the possible redirect URL after the user has been logged out. The @actionUri@ parameter however overwrites the forms action, so when the user logs out by submitting the logout form, a POST request is processed to the redirect URL. Since the POST request includes @logintype=logout@ in the request body, TYPO3 authentication services terminates the users sessions and the logout is finished. So basically, ext:felogin does not handle the logout process (as I would expect), but TYPO3 authentication services do. However, ext:felogin has code to handle the logout process internally. In @initializeAction@ we have code to check, if a login or logout process is in process. Or in @loginAction@ we have @$this->isLogoutSuccessful()@, which checks if the logout was successful by ensuring no user session exist and @logintype=logout@ is part of GET/POST data. The code for the logout process can currently only be triggered manually (e.g call link https://domain.tld/login?logintype=logout). In order to work as intended, the @action@ of the logout form must always be the @loginAction@ of ext:felogin and the @actionUri@ parameter must be removed. -In addition, the logout form should contain a new hidden input field @<f:form.hidden name="redirect_url" value="{redirectURL}" />@, where @{redirectURL}@ is the evaluated/configured redirect URL from ext:felogin plugin.- Having this in place, ext:felogin will correctly handle the redirect after logout, and it is possible to use the @LogoutConfirmedEvent@ or the use the @BeforeRedirectEvent@ before the logout redirect is processed. In addition, the current evaluation of the @actionUri@ has issues. If redirect is disabled either by plugin or URL parameter @redirect=0@, then the logoutAction evaluates GET/POST data (function @getRedirectUrlRequestParam@) for a possible redirect URL and then also uses this on logout (although redirect is disabled)