- Issue created by @aalin
- πΊπΈUnited States pfrilling Minster, OH
Thanks for the report. Working on this today.
- πΊπΈUnited States pfrilling Minster, OH
CSRF protection and tests confirming have been added to the logout route.
I think we create a follow up issue to introduce the
_csrf_confirm_form_routethat mimics theOpenIDConnectRedirectController::redirectLogout. That seemed like a bigger refactor and likely warrants a separate issue. - π«π·France jibus
I applied the patch.
The user/logout route now returns a 403.
This is the logical behavior, but is it the expected behavior?
Shouldn't we have the confirmation form?
- πΊπΈUnited States pfrilling Minster, OH
@jibus, Yes, I do think we need to add the confirmation form to match core's workflow, but I was planning on doing that work in a separate issue.
- πΊπΈUnited States pfrilling Minster, OH
I'm marking this as RTBC from @jibus's review in #5.
-
pfrilling β
committed be314198 on 3.x
Issue #3508791 by pfrilling, jibus, aalin: Add CSRF protection for /user...
-
pfrilling β
committed be314198 on 3.x
- πΊπΈUnited States pfrilling Minster, OH
Code has been merged and the followup issue has been created to add the confirmation form here: https://www.drupal.org/project/openid_connect/issues/3518252 β¨ Add _csrf_confirm_form_route option for to the user/logout route Active
- πΊπΈUnited States attheshow
I just wanted to post a heads up here. It looks like this change is for some reason causing a 403 error when a currently-logged-in user visits /user/logout on D11.
- πΊπΈUnited States pfrilling Minster, OH
Thanks @attheshow. That is expected as the route requires a csrf token. Browsing directly to that route won't have the token, hence the 403. If you use the logout link provided by a menu and/or the login block, it should work. The followup issue β¨ Add _csrf_confirm_form_route option for to the user/logout route Active will get that direct link remedied with a confirmation form.
- πΊπΈUnited States attheshow
OK, I'll go ahead and put together a patch for our site so that we can continue to use our existing logout links on D11.
- πΊπΈUnited States pfrilling Minster, OH
The confirmation form logic is in place here: https://www.drupal.org/project/openid_connect/issues/3518252 β¨ Add _csrf_confirm_form_route option for to the user/logout route Active .
@attheshow, are you able to manually test that MR and confirm if it works for your use case?
- Status changed to Fixed
17 days ago 2:25pm 28 April 2025 - πΊπΈUnited States attheshow
Sorry, I haven't been able to test that just yet.
Automatically closed - issue fixed for 2 weeks with no activity.