[Plugin: WordPress MU Domain Mapping] Unable to logout on mapped domain

We recently noticed an issue with our WPMU with Domain Mapping: when a user logs out, the authentication cookies are cleared out only on the “original” domain (actual host of the WPMU), but not on the “mapped” domain. In other words, the user is only logged out on the real domain, but not on the mapped domain.

I believe this is due to the DM plugin is expecting the user to start the logout process on the mapped domain first, then the plugin can redirect the user to the original domain to finish the process.

However, in our case we have to do things a little differently. We have a wildcard SSL for our original domain, but not the mapped domains, and we want users to be able to use HTTPS during login and while they are in the backend without having to see cert errors. So we changed all login and admin links to always use original domain, instead of the map domains.

Because of that change, the logout url will always use the original domain, and that is where it clears out the session. However, it does not redirect to the primary domain (which is mapped) and clear the session there. It ends up being a little confusing because the user would see the admin bar on the frontend even after they have supposedly logged out.

While it’s not a real security issue since the site will make sure to redirect user to use the original domain when they are trying to use the backend (and they will be considered logged out there), it is not ideal.

Just changing the logout url domain to always using the primary mapped domain isn’t a good solution. This is because we specified to force use SSL when login in wp-config.php, which means that wp-login.php requires SSL. And as mentioned previously, our mapped domains doesn’t have proper SSL, so our user gets a scary warning on their browser.

Our solution was to create a custom logout logic. Essentially we created a new action that checks for a specific querystring value that would initiate the logout process (dologout=1 for example). Then we overridden the logout url to always use the primary mapped domain with the querystring value. When the user clicks on the link, they get redirected to the primary domain, the site calles wp_logout(), and DM plugin takes over the rest of the logout process, and the user gets logged out on both mapped and original domain.

Here is the simple code that worked for us:

// custom logout logic to make sure primary domain's auth cookies are cleared
function custom_logout() {
    if (isset($_REQUEST['dologout']) && isset($_REQUEST['nonce']) && wp_verify_nonce($_REQUEST['nonce'], 'logout_nonce')) {
        wp_logout();
        exit;
    }
}
add_action('init', 'custom_logout');

// changes the logout url to use the primary domain
function custom_logout_url($logout_url) {
    $url = parse_url($logout_url);
    return str_replace('https://', 'http://', domain_mapping_siteurl(null)). '/?dologout=1&nonce=' . wp_create_nonce('logout_nonce');
}
add_filter('logout_url', 'custom_logout_url');

Hopefully this will help someone else out there with similar issue, and maybe even have this built into the next update (not necessary the code, but the behavior)?

http://wordpress.org/extend/plugins/wordpress-mu-domain-mapping/