Authentication does not remove check_logged_in from session management

Created on 28 November 2024, 8 months ago

Problem/Motivation

When redirecting after authentication, the checked_logged_in variable is not properly deleted from the Session object.
This causes an error message when logging out: 'To log in to this site, your browser must accept cookies from the domain ...'.

Steps to reproduce

Add an URL other than the homepage on 'Redirect URL after user login' in the settings page (/admin/config/people/miniorange_2fa/login_settings).
Log in with 2FA
Log out, the user is redirected to the homepage, with querystring 'check_logged_in=1'. The error message is rendered.

Proposed resolution

In miniorange_authenticate.php a new RedirectResponse is initialised. However, the redirect is followed by an exit, which terminates any other services.
This causes the RedirectResponse to be handled as a HTMLResponse, which is since 10.3.3 unhandled by the protected function getUserFromSession(SessionInterface $session) method from Drupal\user\Authentication\Provider\Cookie.

Is there a specific reason to terminate the code after the sending the RedirectResponse?

🐛 Bug report
Status

Active

Version

5.1

Component

Code

Created by

🇧🇪Belgium jurgenr

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024