We’ve recently just upgraded our WordPress site to 5.1.1
After the upgrade, we’ve started encountering issues when executing the wp_logout() function of WordPress. Somehow we’re getting a 302 response but there is no error/warning being shown.
I’ve narrowed it inside the wp_logout() and determined that both wp_destroy_current_session(); and wp_clear_auth_cookie(); are working fine!
This means that the error happens when the last line in wp_logout() is called:
do_action( 'wp_logout' );
My question is:
Is it possible to for external plugins to somehow corrupt the
wp_logoutaction with functions that can break the flow and give a302or is there anything in5.1.1that affectedwp_logoutsomehow?
1 Answer
A lot has changed in 5.1/5.1.1, but the changes I’m seeing in WordPress core wouldn’t cause 302 redirects on their own.
1. wp_logout is pluggable
wp_logout is a pluggable function. That means anyone can override this function and cause it to do something different because the function is wrapped in a condition checking for other functions with the same name. Here’s the contents of wp_logout:
if ( ! function_exists( 'wp_logout' ) ) :
wp_destroy_current_session();
wp_clear_auth_cookie();
/**
* Fires after a user is logged-out.
*
* @since 1.5.0
*/
do_action( 'wp_logout' );
endif;
2. wp_logout calls a do_action hook
The last part of the function is calling a do_action which anyone can use to add to the function, including redirects.
3. wp_logout calls other functions
wp_logout calls wp_destroy_current_session and wp_clear_auth_cookie. Either of these could complicate things as well. wp_destroy_current_session is able to be modified to use other systems like Redis storage or other methods via the session_token_manager filter. wp_clear_auth_cookie is a pluggable function and also has a do_action hook.
So, to answer your question…
WordPress 5.1.1 didn’t change anything that would cause a call to
wp_logout()to throw a 302 redirect, but there are plenty of opportunities for other plugins or themes to cause this to occur.
