Join the community today
Register Now

Wordpress Frontend user/Customer logging out of WordPress WooCommerce get a nginx auth

Discussion in 'Blogs & CMS usage' started by ct_roy, Dec 2, 2023.

  1. ct_roy

    ct_roy Premium Member Premium Member

    53
    8
    8
    Jun 21, 2020
    Ratings:
    +16
    Local Time:
    2:33 AM
    1.17.10
    10.3.22
    So currently I have the basic auth enabled to protect wp-login which is great.

    Code:
    location ~* ${WPSUBDIR}/(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/$vhostname/htpasswd_wplogin; 
        include /usr/local/nginx/conf/php-wpsc.conf;
        ${MULTIPHP_INCLUDES}
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    The issue I have is that any frontend users and/or WooCommerce customers get redirected to wp-login.php upon logging out - which triggers the basic auth dialog.

    Code:
    https://www.mydomain.com/wp-login.php?action=logout&redirect_to=https%3A%2F%2Fwww.mydomain.com%2Fmy-account%2F&_wpnonce=noncegoeshere
    I can have my cake and eat it by changing the default log out url as follows:

    PHP:
    add_filter'logout_url''custom_logout_url'10);
    add_action'wp_loaded''custom_logout_action' );

    /**
     * Replace default log-out URL.
     *
     * @wp-hook logout_url
     * @param   string $logout_url
     * @param   string $redirect
     * @return  string
     */
    function custom_logout_url$logout_url$redirect )
    {
        
    $url add_query_arg'logout'1home_url'/' ) );

        if ( ! empty ( 
    $redirect ) )
            
    $url add_query_arg'redirect'$redirect$url );

        return 
    $url;
    }

    /**
     * Log the user out.
     *
     * @wp-hook wp_loaded
     * @return  void
     */
    function custom_logout_action()
    {
        if ( ! isset ( 
    $_GET['logout'] ) )
            return;

        
    wp_logout();

        
    $loc = isset ( $_GET['redirect'] ) ? $_GET['redirect'] : home_url'/' );
        
    wp_redirect$loc );
        exit;
    }
    But I thought I'd report this in case other WordPress/WooCommerce users are running into this issue.

    I wonder if the nginx rule could be made a bit cleverer to stop direct access, but still allow any requests through that contain any action=logout or redirect_to parameters?


    ChatGPT has suggested this potential enhancement, but I'm wondering if that might introduce some vulnerabilities that I'm not consdering?


    Code:
    location ~* /(wp-login\.php) {
        # Check if the request includes 'action=logout' parameter
        if ($arg_action = "logout") {
            # Bypass auth and rate limiting for logout action
            # Include necessary PHP configuration for processing the request
            include /usr/local/nginx/conf/php-rediscache.conf;
            break;
        }
    
        # Apply auth and rate limiting for other requests
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/commercegurus.com/htpasswd_wplogin;   
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # PHP configuration for caching, etc.
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    51,248
    11,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,374
    Local Time:
    12:33 PM
    Nginx 1.25.x
    MariaDB 10.x
    If you have a member/staff login Wordpress based web site, then usually disabling Wordpress login nginx HTTP password authentication at that level. I don't run a member based Wordpress site myself though.

    Relying on logou query string might not be ideal as attackers could then use that for bypass? Your idea of changing the logout url seems better. Also found this where they configured logout without confirmation https://njengah.com/woocommerce-logout-without-confirmation/

    PHP:
    add_action('check_admin_referer''logout_without_confirm'102);

       function 
    logout_without_confirm($action$result)

          {

          
    /**

          * Allow log out without confirmation

          */

          
    if ($action == "log-out" && !isset($_GET['_wpnonce'])) {

          
    $redirect_to = isset($_REQUEST['redirect_to']) ?

          
    $_REQUEST['redirect_to'] : '';

          
    $location str_replace('&''&'wp_logout_url($redirect_to));;

          
    header("Location: $location");

          die();

        }
    or
    PHP:
    add_action'template_redirect''logout_confirmation' );

    function 
    logout_confirmation() {

        global 
    $wp;

        if ( isset( 
    $wp->query_vars['customer-logout'] ) ) {

            
    wp_redirectstr_replace'&''&'wp_logout_urlwc_get_page_permalink'myaccount' ) ) ) );

            exit;

        }

    }
    Maybe try either Wordpress hooks and see which is better and let us know :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    51,248
    11,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,374
    Local Time:
    12:33 PM
    Nginx 1.25.x
    MariaDB 10.x
    I asked ChatGPT and got :D

    PHP:
    add_action'template_redirect''custom_logout_redirect' );

    function 
    custom_logout_redirect() {
        if (!
    is_user_logged_in()) {
            return; 
    // Exit if the user is not logged in
        
    }

        global 
    $wp;

        if (isset(
    $wp->query_vars['logout']) || isset($wp->query_vars['customer-logout'])) {
            
    // Redirect location set to the sanitized home URL
            
    $redirect_location esc_url_raw(home_url('/'));

            
    // Perform the redirect with sanitized URL
            
    wp_redirect(str_replace('&''&'wp_logout_url($redirect_location)));
            exit;
        }
    }