Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 2.6 LogOut Target (Single Sign Out)
Vanilla 2.6
Wordpress 4.9.7
Hello, It looks like something may have changed in the logout since Vanilla 2.3.?? When logging out, Target is no longer redirecting.
In v: 6.2, this is in config-defaults.php:
$Configuration['Garden']['Authenticator']['SignOutUrl'] = '/entry/signout/{Session_TransientKey}?Target=%2$s';
I used to be able to override this in config.php by doing:
$Configuration['Garden']['Authenticator']['SignOutUrl'] = '/entry/signout/{Session_TransientKey}?Target=http://www.<mydomain>/wp-login.php?action=logout';
The result would be that the user would get logged out of Vanilla, then would redirect to the wordpress site and be asked if they wanted to log out there.
It no longer redirects to the wordpress site. Any idea on how to redirect in v6.2 after logout?
Donovan
0
Comments
Does Target no longer allow remote url? I did some tests... and finally just did ?Target=/something
That last one worked and redirected to a 404. I'm guessing Vanilla outlawed remote targets?
So, if so, what is the new method for redirecting to a remote URL to do a Single Sign Off??
Donovan
I found this on GIThub:
https://github.com/vanilla/vanilla/issues/7399
Is that related to my findings?
That's hard to support without having WordPress installed. So I just have to assume a few things.
It looks as if the above mentioned setting doesn't exist/isn't used in Vanilla 2.6.
In the EntryControllers signOut method, I find the following:
So the target is only used if it is a "trusted domain". In order to check if a domain is trusted, several testings are made (in function.general.php) and there is a configuration setting where you can add a domain:
So maybe adding
$Configuration['Garden']['TrustedDomains'] = ['mydomain'];
is what you need to do?But that would still leave the question where the custom target could come in...
It seems as if that target has to come from the get request. So I would say that you have to react on that by writing a custom theme where you change the sign out link or you write a plugin that alters the sign out target
I guess the plugin approach is more fail safe than changing the theme
Thx @R_J
After looking at your ideas and doing some (hours of) debugging.. I found a solution.
The idea here is that you set Trusted domains in the new admin... 'Security' tab:
Dashboard › Settings › Technical › Security
It adds the domain you are on by default.. so I first added:
The above, in my case, I thought should not matter.. because the URL to my forum is:
And the redirect url is:
The isTrustedDomain function parses some stuff out... but I then took a look at this part of the function.
(approx Line# 2097)
So, finally, I put in the full URL in the trusted domains and it now works.
The end result is that I think this is either buggy or not documented well.
It seems, it's not a trusted 'domain'.. rather it's a trusted URL.
Also, maybe the wild card is not working.. as it's stated in the back end that it should work.
End statement... use full redirect URL in the backend (minus http(s)://)!!
Hope this helps someone else out there.