Logout via Subdomain, non-wordpress page on a different server?

by

Similar to the question over at Get wp_logout_url function to work on external (non-Wordpress) page

The problem I am facing is the fact the subdomain is on a different server so I am unable to include/require the wp-blog-header.php file.

Is there a way that I can whitelist domains that can allow instant logouts, like you can for the redirect whitelist.

If not, how can I allow subdomains (it has remote sql access) to create a valid logout link that bypasses the “Are you sure you want to logout” notice.

Re: @SatbirKira

Does this like a logical work around to make sure the logout is “valid” to a certain degree:

  • Set the logout URL every 24 hours to have a query string with a random string appended to it for example: http://website.com/custom_logout.php?confirm=sj239ks, followed by http://website.com/custom_logout.php?confirm=32k9la3

Each time it changes it would edit a specific file (custom_logout.php on the other server OR a txt/ini file on its own server OR other server) and create an array/list of strings

$confirmkeys = array("sj239ks", "32k9la3");

or

[confirmkeys]
confirm[] = sj239ks
confirm[] = 32k9la3

It would only ever have 2 confirm keys in the file, one for 24 hours ago (just incase someone has the page still open) and one for the current 24 hours)

I guess the same thing could be done individually instead of globally but is there much need for that?

  • Edit custom_logout.php to add a check to see if $_SERVER['HTTP_REFERER'] is coming from the same domain (all subdomains). If it is then set matching_referer to true. If not set the variable to false.

  • Edit custom_logout.php to add a check to see if the query string matches against one stored inside a specific file. (easiest to do with a txt/ini file on the secondary server?) If it matches then set matching_confirm to true. If not set the variable to false.

  • Edit custom_logout.php and make it so as long if one (any) of the checks are true for it to logout cleanly, if they are both false logout with the warning by sending them to the /wp-login.php?action=logout page?

2 Answers
2

You can create a file called custom_logout.php and place it in the root wordpress directory. This contains 

<?php 
     require_once("wp-load.php"); //load wordpress
     wp_logout(); //logout
     exit(); //end page
?>

Then in your subdomain site open the url with an anchor tag 

<a href="http://youwebsite.com/custom_logout.php">Logout</a>

You can’t create a whitelist easily because it would involve checking where the user is coming from using $_SERVER[‘HTTP_REFERER’] which is unreliable(usually null). There is no simple solution for this unfortunately.

Reply To Your Edit

You are completely free to implement the temporary key approach if that is a responsible compromise. However, instead of two random keys you can send a md5 hash of the current day. Use an identical secret salt on both servers. Now you can simply recompute yesterday’s hash and the current day’s in custom_logout.php and compare it to the get variable that is incoming. It eliminates the need for a txt/ini file.

Leave a Comment