#35488 closed defect (bug) (fixed)
wp_logout() not working as it should
Reported by: | sebastian.pisula | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | has-patch has-unit-tests |
Focuses: | Cc: |
Description
I have test:
<?php include 'wp-load.php'; echo 'content for guest<br />'; if ( is_user_logged_in() ) { echo 'content for user logged in<br />'; } else { echo 'content for user logged in - go to login form<br />'; } wp_logout(); echo 'content for guest<br />'; if ( is_user_logged_in() ) { echo 'content for user logged in'; } else { echo 'content for user logged in - go to login form<br />'; }
Output should be:
content for user logged in content for user logged in - go to login form
but output is:
content for user logged in content for user logged in
I think that this is bug.
Attachments (2)
Change History (14)
#3
@
9 years ago
Note that logging a user out after output has started is not possible because cookies cannot be set after the headers have been sent.
#5
@
6 years ago
- Status changed from new to reopened
Bumped into this in a project today, and have taken the liberty of reopening the ticket.
I'm writing a plugin that automatically logs a user out after a certain period of inactivity. To do this, I'm hooking into "admin_init", and if the user has been inactive for x minutes, I call wp_logout(). For this to work properly, all code running after "admin_init" should run as if the user is not logged in. Among other things, this will trigger the login modal in wp-admin.
Considering that I just explicitly logged out the user, is_user_logged_in() especially should return false. Other functions that are affected are get_current_user() and wp_auth_check().
Sebastian.pisula's patch works flawlessly for me on 5.0.3. It makes wp_logout() do what the function's name and description suggest.
Please consider accepting this patch.
#6
@
6 years ago
- Milestone set to 5.3
- Owner set to SergeyBiryukov
- Status changed from reopened to reviewing
#8
@
5 years ago
I've just tested with a user in my DB with ID=0, just to be sure it won't load this user using the new patch line: It does not do that, I'm correctly logged out now.
#9
@
5 years ago
@SergeyBiryukov How do you feel about the most recent patch for 5.3? It applies cleanly to trunk
and the new unit test passes.
#11
follow-up:
↓ 13
@
5 years ago
This fix has changed behavior in the wp_logout
filter. Prior to WordPress 5.3, plugin developers could use get_current_user_id()
inside the hook to get the ID of the user logging out.
https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L566-L582
For example, in a plugin that links external authentication services (like Google, LDAP, CAS) we use it to log the user out of their external account.
Maybe we can add a pre_wp_logout
hook at the beginning of the wp_logout()
function for cases where we need to refer to the logging out user?
#12
@
5 years ago
FYI we decided to use the clear_auth_cookie
action instead of wp_logout
, since it fires on logout before the current user session is destroyed.
https://developer.wordpress.org/reference/hooks/clear_auth_cookie/
The only other time the hook fires is when the user changes their password (in which case they need to log in again anyway, so it is, in practice, a "logout").
It's actually the same behaviour as with
wp_signon()
, see #28116.