Logout doesn't work sometimes about gitea HOT 11 CLOSED

Thank you very much for your report.

1. I'm redirected to the default (logged out) home page, but as soon as I click Sign In I'm automatically logged in, no username/password asked

What are your "Loign Sources (Authentication Sources)" on the admin panel? Did you deploy Gitea under a sub-path behind reverse proxy?

2. A red error message briefly appears at the top of the page, page refresh, I'm logged in again (no username/password form). Stack trace of the error:

I know this problem ... because Gitea reports some JS errors too aggressively, I think we could leave this problem to a new issue (it is not related to the "logout" problem)

from gitea.

For the first problem, could you also provide the browser's network logs? It might be also related to browsers/extensions, I know some browsers (or extensions) click the "login" button automatically for users if the passwords are remembered. If you could see a separate network POST request for signin, then it could be this case.

ps: I can't reproduce it on try.gitea.io ..........

from gitea.

The JS error toast on logout i'm aware of, I think it's most likely harmless and should not hinder actual functionality. Still something we need to fix of course.

from gitea.

I can reproduce locally like half of the times when I logout while being on the frontpage, there is definitely something fishy going on with the logout. The aborted request triggers the JS toast, and then apparently it logs back in again automatically. Maybe something related to OAuth code.

An no, my browser does not automatically click the "login", it only autofills.

from gitea.

The JS initiator for the first GET above seems to be here:

from gitea.

OK, 100% know the problem now, will propose a fix.

from gitea.

-> Improve logout from worker #30775

from gitea.

What are your "Loign Sources (Authentication Sources)" on the admin panel? Did you deploy Gitea under a sub-path behind reverse proxy?

I have 0 authentication sources in Admin Settings, but yes, my Gitea instance is behind a reverse proxy (Apache).

I think 1st problem has something to do with DOMAIN and ROOT_URL mismatch. If I set DOMAIN = mydevice.local and APP_URL = http://mydevice/gitea (without the .local suffix), I can reproduce it sometimes if I open Gitea via http://mydevice/gitea, otherwise it doesn't happen.

My browser doesn't auto-login, it only fills in the username/password info (similar to @silverwind's).

from gitea.

I think 1st problem has something to do with DOMAIN and ROOT_URL mismatch ...

It seems to be also related to having a missing / after the subpath. So given ROOT_URL = http://mydevice.local/gitea/ and a logged in user:

• User opens http://mydevice/gitea/ -> shows user's repositires page
• User opens http://mydevice/gitea -> shows home page - if user clicks on Sign In, they are redirected to the repositories page

Relevant Apache config:

<VirtualHost *:80>
        <Proxy *>
                Order allow,deny
                Allow from all
        </Proxy>
        AllowEncodedSlashes NoDecode
        # Note: no trailing slash after either /gitea or port
        ProxyPass /gitea http://localhost:8077 nocanon

(adapted from https://docs.gitea.com/administration/reverse-proxies)

from gitea.

Adding this rewrite rule solved it for me:

RewriteEngine on
RewriteRule ^/gitea$ /gitea/ [R]

from gitea.

I think 1st problem has something to do with DOMAIN and ROOT_URL mismatch ...

It seems to be also related to having a missing /

I think it is a new problem, when there are sub paths, the cookie handling sometimes is tricky. Could you reproduce it in a browser's Private Window (without existing cookie)?

ps: for the real 1st problem (occasionally unable to logged out & JS error), I am pretty sure it could be fixed by #30775, the real problem behind it is the "logout handler" sends 2 responses, one is for worker, one is for current page, the worker code conflicts with the cookie handling.

from gitea.