Problem

With Drupal 10.3/11 the user/logout route is CSRF protected, see: https://www.drupal.org/node/2822514
So when the token is missing, the confirmation form gets shown. However, that is atm not supported by the user-forms module, so the logout operation fails.

Comments

fago created an issue. See original summary.

fago’s picture

fago
Primary language German
Location Vienna
commented
Title: User logout confirmation form is not supported (d10.3+) » Add support for user confirmation form of 10.3+
Category: Bug report » Feature request

I think this is not really a bug now, because there are ways to work around it.

I came up with a simple one. Use the account-menu, which at least in standard profile, is there and provides us with working login/logout links. The logout link already contains the right token. api response for testing: /api/menu_items/account

fago’s picture

fago
Primary language German
Location Vienna
commented

unfortunately the logout link token has some issues also, see #3484945: Wrong user logout CSRF token

fago’s picture

fago
Primary language German
Location Vienna
commented
Priority: Major » Minor

I think this is not important, since generally it's better to make CSRF-token protected links work properly. The confirm-form we could make work, but including the redirect to the form, it's gonna be some additional work that might not be worth it.