Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.6 LogOut Target (Single Sign Out)

Vanilla 2.6
Wordpress 4.9.7

Hello, It looks like something may have changed in the logout since Vanilla 2.3.?? When logging out, Target is no longer redirecting.

In v: 6.2, this is in config-defaults.php:

$Configuration['Garden']['Authenticator']['SignOutUrl'] = '/entry/signout/{Session_TransientKey}?Target=%2$s';

I used to be able to override this in config.php by doing:

$Configuration['Garden']['Authenticator']['SignOutUrl'] = '/entry/signout/{Session_TransientKey}?Target=http://www.<mydomain>/wp-login.php?action=logout';

The result would be that the user would get logged out of Vanilla, then would redirect to the wordpress site and be asked if they wanted to log out there.

It no longer redirects to the wordpress site. Any idea on how to redirect in v6.2 after logout?



  • Options

    Does Target no longer allow remote url? I did some tests... and finally just did ?Target=/something

    That last one worked and redirected to a 404. I'm guessing Vanilla outlawed remote targets?

    So, if so, what is the new method for redirecting to a remote URL to do a Single Sign Off??


  • Options

    I found this on GIThub:

    Is that related to my findings?

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    That's hard to support without having WordPress installed. So I just have to assume a few things.
    It looks as if the above mentioned setting doesn't exist/isn't used in Vanilla 2.6.

    In the EntryControllers signOut method, I find the following:

            if (!isTrustedDomain($target)) {
                $target = Gdn::router()->getDestination('DefaultController');

    So the target is only used if it is a "trusted domain". In order to check if a domain is trusted, several testings are made (in function.general.php) and there is a configuration setting where you can add a domain:

            $configuredDomains = c('Garden.TrustedDomains', []);
            if (!is_array($configuredDomains)) {
                $configuredDomains = is_string($configuredDomains) ? explode("\n", $configuredDomains) : [];

    So maybe adding $Configuration['Garden']['TrustedDomains'] = ['mydomain']; is what you need to do?

    But that would still leave the question where the custom target could come in...

    It seems as if that target has to come from the get request. So I would say that you have to react on that by writing a custom theme where you change the sign out link or you write a plugin that alters the sign out target

    pubic function entryController_beforeSignOut_handler($sender) {
        // Custom target must nevertheless be a "trusted" domain.

    I guess the plugin approach is more fail safe than changing the theme

  • Options
    edited August 2018

    Thx @R_J
    After looking at your ideas and doing some (hours of) debugging.. I found a solution.

    The idea here is that you set Trusted domains in the new admin... 'Security' tab:
    Dashboard › Settings › Technical › Security

    It adds the domain you are on by default.. so I first added:


    The above, in my case, I thought should not matter.. because the URL to my forum is:


    And the redirect url is:


    The isTrustedDomain function parses some stuff out... but I then took a look at this part of the function.
    (approx Line# 2097)

    So, finally, I put in the full URL in the trusted domains and it now works.

    The end result is that I think this is either buggy or not documented well.
    It seems, it's not a trusted 'domain'.. rather it's a trusted URL.
    Also, maybe the wild card is not working.. as it's stated in the back end that it should work.

    End statement... use full redirect URL in the backend (minus http(s)://)!!

    Hope this helps someone else out there.

Sign In or Register to comment.