Customer cant logout – security issue

  • Resolved bydlo

    (@bydlo)


    7 years, 4 months ago

    Hi
    if a customer wants to logout from his account he gets a login-screen (generated by our htaccess).
    Of course we do have secured our backend (thats a standard security measurement) with a htaccess and it seems that woocommerce has a conflict with that.

    Here is the content of our htaccess:
    <Files wp-login.php>
    AuthType Basic
    AuthName “My Protected Area”
    AuthUserFile ….path to the/.htpasswd
    Require valid-user
    </Files>

    Since we dont want to open the doors to hackers just to make woocommerce running, we would be very happy to get an solution for that.

    Kind regards
    bydlo

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • dougaitken

    (@dougaitken)

    Automattic Happiness Engineer

    Hi there @bydlo,

    This is most likely something to do with your htaccess file.

    If you head to WooCommerce > Settings > Accounts, you can specify the account endpoints. When a customer logs out they should be presented with customer-logout and not your main wp-login page.

    Please see this support document for more details.

    If I can help further, please reply here, but if this has helped, be sure to mark this thread as Resolved.

    Thanks,

    We haven’t heard back from you in a while, so I’m going to mark this as resolved. If you have any further questions, you can start a new thread.

    I too have this issue.

    I have access control on my wp-login.php

    <FilesMatch “wp-login.php”>
    AuthType Basic
    AuthName “Protected Area”
    AuthUserFile /xxx/htpasswd
    Require valid-user
    </FilesMatch>

    And when I click logout I get a htaccess authentication request, which when I click cancel (because as a normal user I wouldn’t have the credentials for) I get and Unauthorised error from:

    https://xxx/wp-login.php?action=logout&redirect_to=https%3A%2F%2Fxxx%2Fmy-account%2F&_wpnonce=ed67dae6f5

    Whilst the logout link initially calls:

    https://xxx/my-account/customer-logout/?_wpnonce=4d15a32448

    It obviously has a redirect somewhere to the wp-login page.

    Any help appreciated.

    Thanks very much
    Kevin

    Trying to answer my own question, I think I need the htaccess rule to Allow requests to wp-login.php?action=logout without requiring authentication, Not sure how to do that though.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Customer cant logout – security issue’ is closed to new replies.