Similar to the question over at Get wp_logout_url function to work on external (non-Wordpress) page
The problem I am facing is the fact the subdomain is on a different server so I am unable to include/require the wp-blog-header.php
file.
Is there a way that I can whitelist domains that can allow instant logouts, like you can for the redirect whitelist.
If not, how can I allow subdomains (it has remote sql access) to create a valid logout link that bypasses the “Are you sure you want to logout” notice.
Re: @SatbirKira
Does this like a logical work around to make sure the logout is “valid” to a certain degree:
- Set the logout URL every 24 hours to have a query string with a random string appended to it for example:
http://website.com/custom_logout.php?confirm=sj239ks
, followed byhttp://website.com/custom_logout.php?confirm=32k9la3
Each time it changes it would edit a specific file (custom_logout.php on the other server OR a txt/ini file on its own server OR other server) and create an array/list of strings
$confirmkeys = array("sj239ks", "32k9la3");
or
[confirmkeys]
confirm[] = sj239ks
confirm[] = 32k9la3
It would only ever have 2 confirm keys in the file, one for 24 hours ago (just incase someone has the page still open) and one for the current 24 hours)
I guess the same thing could be done individually instead of globally but is there much need for that?
-
Edit
custom_logout.php
to add a check to see if$_SERVER['HTTP_REFERER']
is coming from the same domain (all subdomains). If it is then setmatching_referer
to true. If not set the variable to false. -
Edit
custom_logout.php
to add a check to see if the query string matches against one stored inside a specific file. (easiest to do with a txt/ini file on the secondary server?) If it matches then setmatching_confirm
to true. If not set the variable to false. -
Edit
custom_logout.php
and make it so as long if one (any) of the checks are true for it to logout cleanly, if they are both false logout with the warning by sending them to the/wp-login.php?action=logout
page?
2 Answers
You can create a file called custom_logout.php and place it in the root wordpress directory. This contains
<?php
require_once("wp-load.php"); //load wordpress
wp_logout(); //logout
exit(); //end page
?>
Then in your subdomain site open the url with an anchor tag
<a href="http://youwebsite.com/custom_logout.php">Logout</a>
You can’t create a whitelist easily because it would involve checking where the user is coming from using $_SERVER[‘HTTP_REFERER’] which is unreliable(usually null). There is no simple solution for this unfortunately.
Reply To Your Edit
You are completely free to implement the temporary key approach if that is a responsible compromise. However, instead of two random keys you can send a md5 hash of the current day. Use an identical secret salt on both servers. Now you can simply recompute yesterday’s hash and the current day’s in custom_logout.php and compare it to the get variable that is incoming. It eliminates the need for a txt/ini file.