Item13400: Logout fails to consider {ForceDefaultUrlHost} when redirecting after logout
Priority: Urgent
Current State: Closed
Released In: 2.0.0
Target Release: major
Reported on IRC. When Foswiki is used with a reverse proxy, the logout link redirects to the internal location, and not to the forced external URL.
jomo, regarding the unsafe redirect ... The redirect is done by lib/Foswiki/LoginManager sub redirectToLoggedOutUrl {
It generates the rdirect using: $redirectUrl = $session->{request}->url() . $path_info; or $redirectUrl = $session->{request}->referer(); (if no path_info available)
You might add some debug print statements there to see what's in the url() and referrer() fields. I'm guessing that's where it's going awry for you. [01:20]
I don't have a proxy setup to try though so I'm not sure how to fix. it. [01:30]
jomo you could try changing:
- $redirectUrl = $session->{request}->url() . $path_info;
+ $redirectUrl = $session->{urlHost} . $path_info; [01:46]
...
jomo gac410: As usually, you found the bug. ;)
Changing the
- $redirectUrl = $session->{request}->url() . $path_info;
+ $redirectUrl = $session->{urlHost} . $path_info;
jomo helped - not the logout is OK . ;)
s/not/now/
thanx ;)
I'm not ready to check in a fix here because I'm unsure of how to handle the redirect to the "referrer", and when that use case occurs.
Crawford, Setting it waiting for your feedback. Do you have any wisdom about when referrer would be used during logout, vs. pathinfo. Code in
LoginManger.pm around line 650:
my $redirectUrl;
if ($path_info) {
$redirectUrl = $session->{request}->url() . $path_info;
}
else {
$redirectUrl = $session->{request}->referer();
}
The fix I asked jomo to try unconditionally replaced the
$session->{request}->url()
with the
$session->{urlHost}
, For a releasable fix, I'm considering:
If ={ForceDefaultUrlHost}=,
ignore the current path_info & referrer considerations, and just use the ={urlHost} for the redirect,
else
use the current logic.
--
GeorgeClark - 09 May 2015
Checked in a fix, I think it should be fine.
--
GeorgeClark - 10 May 2015
Yes, that makes sense.
--
Main.CrawfordCurrie - 17 May 2015 - 12:22