We've recently just upgraded our WordPress site to 5.1.1

After the upgrade, we've started encountering issues when executing the wp_logout() function of WordPress. Somehow we're getting a 302 response but there is no error/warning being shown.

I've narrowed it inside the wp_logout() and determined that both wp_destroy_current_session(); and wp_clear_auth_cookie(); are working fine!

This means that the error happens when the last line in wp_logout() is called:

do_action( 'wp_logout' );

My question is:

Is it possible to for external plugins to somehow corrupt the wp_logout action with functions that can break the flow and give a 302 or is there anything in 5.1.1 that affected wp_logout somehow?

We've recently just upgraded our WordPress site to 5.1.1

After the upgrade, we've started encountering issues when executing the wp_logout() function of WordPress. Somehow we're getting a 302 response but there is no error/warning being shown.

I've narrowed it inside the wp_logout() and determined that both wp_destroy_current_session(); and wp_clear_auth_cookie(); are working fine!

This means that the error happens when the last line in wp_logout() is called:

do_action( 'wp_logout' );

My question is:

Is it possible to for external plugins to somehow corrupt the wp_logout action with functions that can break the flow and give a 302 or is there anything in 5.1.1 that affected wp_logout somehow?

• logout

• Welcome to WordPress StackExchange! I'd try to narrow this down in a copy of the affected site. Switch of plugins one by one and retest. – norman.lol Commented Apr 2, 2019 at 14:36
• 1 302 is used at times to redirect users – Tom J Nowell ♦ Commented Apr 2, 2019 at 14:52
• Well yes. add_action( 'wp_logout', function() { wp_redirect( home_url() ); die(); }); would do it. – Rup Commented Apr 2, 2019 at 15:22

1 Answer 1

A lot has changed in 5.1/5.1.1, but the changes I'm seeing in WordPress core wouldn't cause 302 redirects on their own.

1. wp_logout is pluggable

wp_logout is a pluggable function. That means anyone can override this function and cause it to do something different because the function is wrapped in a condition checking for other functions with the same name. Here's the contents of wp_logout:

if ( ! function_exists( 'wp_logout' ) ) :
    wp_destroy_current_session();
    wp_clear_auth_cookie();

    /**
     * Fires after a user is logged-out.
     *
     * @since 1.5.0
     */
    do_action( 'wp_logout' );
endif;

2. wp_logout calls a do_action hook

The last part of the function is calling a do_action which anyone can use to add to the function, including redirects.

3. wp_logout calls other functions

wp_logout calls wp_destroy_current_session and wp_clear_auth_cookie. Either of these could complicate things as well. wp_destroy_current_session is able to be modified to use other systems like Redis storage or other methods via the session_token_manager filter. wp_clear_auth_cookie is a pluggable function and also has a do_action hook.

So, to answer your question...

WordPress 5.1.1 didn't change anything that would cause a call to wp_logout() to throw a 302 redirect, but there are plenty of opportunities for other plugins or themes to cause this to occur.