We’ve recently just upgraded our WordPress site to 5.1.1
After the upgrade, we’ve started encountering issues when executing the wp_logout()
function of WordPress. Somehow we’re getting a 302
response but there is no error/warning being shown.
I’ve narrowed it inside the wp_logout()
and determined that both wp_destroy_current_session();
and wp_clear_auth_cookie();
are working fine!
This means that the error happens when the last line in wp_logout()
is called:
do_action( 'wp_logout' );
My question is:
Is it possible to for external plugins to somehow corrupt the
wp_logout
action with functions that can break the flow and give a302
or is there anything in5.1.1
that affectedwp_logout
somehow?
1 Answer
A lot has changed in 5.1/5.1.1, but the changes I’m seeing in WordPress core wouldn’t cause 302 redirects on their own.
1. wp_logout
is pluggable
wp_logout
is a pluggable function. That means anyone can override this function and cause it to do something different because the function is wrapped in a condition checking for other functions with the same name. Here’s the contents of wp_logout
:
if ( ! function_exists( 'wp_logout' ) ) :
wp_destroy_current_session();
wp_clear_auth_cookie();
/**
* Fires after a user is logged-out.
*
* @since 1.5.0
*/
do_action( 'wp_logout' );
endif;
2. wp_logout
calls a do_action
hook
The last part of the function is calling a do_action
which anyone can use to add to the function, including redirects.
3. wp_logout
calls other functions
wp_logout
calls wp_destroy_current_session
and wp_clear_auth_cookie
. Either of these could complicate things as well. wp_destroy_current_session
is able to be modified to use other systems like Redis storage or other methods via the session_token_manager
filter. wp_clear_auth_cookie
is a pluggable function and also has a do_action
hook.
So, to answer your question…
WordPress 5.1.1 didn’t change anything that would cause a call to
wp_logout()
to throw a 302 redirect, but there are plenty of opportunities for other plugins or themes to cause this to occur.