Logging out on another domain doesn't log the user out

[rmccue]

• Log in to main domain
• Go to alternative domain
• Get logged in via SSO
• Log out of the alternative domain
• Next viewed page logs you back in via SSO

We should instead log out of the main domain, then sync that back across.

[rmccue]

This should be fixable in 4.0 with session tokens, however we're kind of blocked on WP30247 to be able to share tokens across sites.

[scarstens]

@rmccue is this still an issue in 4.3.1? I tried testing this today with SSO enabled and it seemed to log me out everywhere.

[rmccue]

I'm 99% certain this still needs to be done; when we create the new cookie, we need to use the existing session ID. r32465 (since 4.3) should have made this possible, we just need to use it.

[bjork]

I was having this issue, but I could not easily figure out how to actually fix it properly, even with the pointers above. For others that might have the same issue, here is my workaround. It destroys all the sessions the user that is logging out might have.

add_action( 'wp_logout', function () {
	$sessions = WP_Session_Tokens::get_instance( get_current_user_id() );
	$sessions->destroy_all();
} );

[r-a-y]

Just encountered this issue.

bjork's solution destroys all user sessions, which is kind of a brute-force workaround.

I've added a PR (#117), which does what rmccue states above: #14 (comment). If you're testing this PR, ensure you are logged out on the main site and on your mapped domain(s) beforehand. Then attempt to login on the main site. Next, open a new tab and navigate to the mapped domain. Lastly, attempt to logout from the mapped domain.