Make WordPress Core

Opened 9 years ago

Closed 5 years ago

Last modified 4 years ago

#35488 closed defect (bug) (fixed)

wp_logout() not working as it should

Reported by: sebastianpisula's profile sebastian.pisula Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

I have test:

<?php

include 'wp-load.php';

echo 'content for guest<br />';

if ( is_user_logged_in() ) {
        echo 'content for user logged in<br />';
} else {
        echo 'content for user logged in - go to login form<br />';
}

wp_logout();

echo 'content for guest<br />';

if ( is_user_logged_in() ) {
        echo 'content for user logged in';
} else {
        echo 'content for user logged in - go to login form<br />';
}

Output should be:

content for user logged in
content for user logged in - go to login form

but output is:

content for user logged in
content for user logged in

I think that this is bug.

Attachments (2)

35488.patch (506 bytes) - added by sebastian.pisula 9 years ago.
35488.1.diff (946 bytes) - added by donmhico 5 years ago.
Refresh the patch and added a unit test.

Download all attachments as: .zip

Change History (14)

#1 follow-up: @ocean90
9 years ago

It's actually the same behaviour as with wp_signon(), see #28116.

#2 in reply to: ↑ 1 @sebastian.pisula
9 years ago

Replying to ocean90:

It's actually the same behaviour as with wp_signon(), see #28116.

this is bug ? :)

#3 @johnbillion
9 years ago

Note that logging a user out after output has started is not possible because cookies cannot be set after the headers have been sent.

#5 @roytanck
6 years ago

  • Status changed from new to reopened

Bumped into this in a project today, and have taken the liberty of reopening the ticket.

I'm writing a plugin that automatically logs a user out after a certain period of inactivity. To do this, I'm hooking into "admin_init", and if the user has been inactive for x minutes, I call wp_logout(). For this to work properly, all code running after "admin_init" should run as if the user is not logged in. Among other things, this will trigger the login modal in wp-admin.

Considering that I just explicitly logged out the user, is_user_logged_in() especially should return false. Other functions that are affected are get_current_user() and wp_auth_check().

Sebastian.pisula's patch works flawlessly for me on 5.0.3. It makes wp_logout() do what the function's name and description suggest.

Please consider accepting this patch.

#6 @SergeyBiryukov
6 years ago

  • Milestone set to 5.3
  • Owner set to SergeyBiryukov
  • Status changed from reopened to reviewing

@donmhico
5 years ago

Refresh the patch and added a unit test.

#7 @donmhico
5 years ago

  • Keywords has-patch has-unit-tests added

#8 @juliobox
5 years ago

I've just tested with a user in my DB with ID=0, just to be sure it won't load this user using the new patch line: It does not do that, I'm correctly logged out now.

#9 @davidbaumwald
5 years ago

@SergeyBiryukov How do you feel about the most recent patch for 5.3? It applies cleanly to trunk and the new unit test passes.

#10 @SergeyBiryukov
5 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46467:

Users: Make sure wp_logout() clears current user, so that a subsequent call to is_user_logged_in() works as expected.

Props sebastian.pisula, donmhico, roytanck, juliobox.
Fixes #35488.

#11 follow-up: @figureone
5 years ago

This fix has changed behavior in the wp_logout filter. Prior to WordPress 5.3, plugin developers could use get_current_user_id() inside the hook to get the ID of the user logging out.
https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L566-L582

For example, in a plugin that links external authentication services (like Google, LDAP, CAS) we use it to log the user out of their external account.

Maybe we can add a pre_wp_logout hook at the beginning of the wp_logout() function for cases where we need to refer to the logging out user?

#12 @figureone
5 years ago

FYI we decided to use the clear_auth_cookie action instead of wp_logout, since it fires on logout before the current user session is destroyed.
https://developer.wordpress.org/reference/hooks/clear_auth_cookie/

The only other time the hook fires is when the user changes their password (in which case they need to log in again anyway, so it is, in practice, a "logout").

#13 in reply to: ↑ 11 @SergeyBiryukov
5 years ago

Replying to figureone:

This fix has changed behavior in the wp_logout filter. Prior to WordPress 5.3, plugin developers could use get_current_user_id() inside the hook to get the ID of the user logging out.

Follow-up: #49533

Note: See TracTickets for help on using tickets.