You are here: Foswiki>Tasks Web>Item13400 (05 Jul 2015, GeorgeClark)Edit Attach

Item13400: Logout fails to consider {ForceDefaultUrlHost} when redirecting after logout

Priority: Urgent
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: LoginManager
Branches: master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
Reported on IRC. When Foswiki is used with a reverse proxy, the logout link redirects to the internal location, and not to the forced external URL.

jomo, regarding the unsafe redirect ... The redirect is done by lib/Foswiki/LoginManager sub redirectToLoggedOutUrl {
It generates the rdirect using: $redirectUrl = $session->{request}->url() . $path_info; or $redirectUrl = $session->{request}->referer(); (if no path_info available)
You might add some debug print statements there to see what's in the url() and referrer() fields. I'm guessing that's where it's going awry for you.    [01:20]
   I don't have a proxy setup to try though so I'm not sure how to fix. it.    [01:30]

   jomo you could try changing:
- $redirectUrl = $session->{request}->url() . $path_info;
+ $redirectUrl = $session->{urlHost} . $path_info;    [01:46]
jomo   gac410: As usually, you found the bug. ;)
Changing the
- $redirectUrl = $session->{request}->url() . $path_info;
+ $redirectUrl = $session->{urlHost} . $path_info;
jomo helped - not the logout is OK . ;)
thanx ;) 

I'm not ready to check in a fix here because I'm unsure of how to handle the redirect to the "referrer", and when that use case occurs.

Crawford, Setting it waiting for your feedback. Do you have any wisdom about when referrer would be used during logout, vs. pathinfo. Code in around line 650:
    my $redirectUrl;
    if ($path_info) {
        $redirectUrl = $session->{request}->url() . $path_info;
    else {
        $redirectUrl = $session->{request}->referer();

The fix I asked jomo to try unconditionally replaced the $session->{request}->url() with the $session->{urlHost}, For a releasable fix, I'm considering:
   If ={ForceDefaultUrlHost}=,  
       ignore the current path_info & referrer considerations, and just use the ={urlHost} for the redirect,  
       use the current logic.

-- GeorgeClark - 09 May 2015

Checked in a fix, I think it should be fine.

-- GeorgeClark - 10 May 2015

Yes, that makes sense.

-- Main.CrawfordCurrie - 17 May 2015 - 12:22

ItemTemplate edit

Summary Logout fails to consider {ForceDefaultUrlHost} when redirecting after logout
ReportedBy GeorgeClark
Codebase 1.2.0 beta1, 1.1.9, trunk
SVN Range
AppliesTo Engine
Component LoginManager
Priority Urgent
CurrentState Closed
Checkins distro:a21dc67410ed
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
masterCheckins distro:a21dc67410ed
Topic revision: r4 - 05 Jul 2015, GeorgeClark - This page was cached on 26 Oct 2016 - 03:35.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License