Wappler Version : 445
Operating System : Win10 Pro
PHP My SQL
The logout function below won’t log out user on either Safari and Chrome mobile browsers.
(We’re using the right security provider… and are still unable to remove old, unused ones)
Is there any step we are missing here?
Hi @Fred_K,
As there is no PHP Require (obviously), within the HTML pages of the mobile app, this PHP is used for the Security Provider settings for the page, but can’t be included in the HTML… What I suggest as a work-a-round, is to add a Security Restrict Step above all other Steps within, lets say, the User Profile (or any Action that is loaded on all pages), if you don’t have such an Action available you could just create one with a Security Restrict Step. Then include this in all pages for your app with a Dynamic Event using Unauthorised and a Browser Go To directing to your specific login page for example. Then if the request for the Action returns Unauthorised it will redirect based on the links you specified in the Restrict Step (Forbidden), and fallback on the Browser Go To link for good measure…
Thanks Dave.
Pretty hard to understand the logic though… and worried abt the need for a “workaround” for mobile tbh…
So you mean we should add a Security Restrict step at the start of each API run on all pages of our website? Like so for our login page so that the logout (with an added Secur Restrict too) works on mobile?
Not so much as a work-a-round but a solution as can’t run the PHP script within the mobile application pages. You could add the Restrict Step to each Action (you won’t want it on your login though). Specify the Login and Forbidden URL’s. That should suffice.
Sorry, logout still does not work on mobile.
Secu Restrict was added as first step in one of the several API actions (called via Server Connect of course) of a user profile page for example. Tried to logout from that user page, I get a success msg notification (the form does have a successful submit) yet user still logged in on mobile.
This is all very confusing: adding a secu restrict step to some API that runs on the page.
Is there any tutorial on how secu restrict works and should be used?
Thanks but I’m ever more confused.
We’re not building a mobile app. It is a website which I need available on mobile.
The Login works, so why not the log out? In other words, I still do not understand all your previous explanation.
EDIT: @Teodor why is my log in working fine, but not my logout (after I follow your tutorial)?
Hi Fred,
Are sure it’s not logging out? I have had issues with the logout not redirecting but if you refresh the page after logging out it denies access and returns to the log in screen.
Could this be what’s happening for you? I think I solved it by using a flow (i’d have to check).
I dont know if this is ok but: maybe you can make an api in your server side called “logout” and execute a security logout, then create a page in your client side called “logout.php” and make it run a server connect component linked to the api (Even, in success event, you can redirect to login again, o wherever you want)
Hey Brad,
Thanks for your input.
It s not a pb of redirecting to another page, after I click log out on the home page (index.php), I can still browse to restricted pages like dashboard, account,… Whether I refresh or not.
Then again, if I can log in with no issues on mobile, I should be able to log out the same straight way. Which is why it seems like a bug. (all working well on desktop!)
What is going on?!
You are right, this is what I did (except that the page is not called logout). The page loads a server connect which runs this logout API - on-click. And I do get a success event: a success notification pops up.
Did you try uploading all the files to your server again? Maybe something is missing
In mobile apps you usually have just a single html page running as SPA. And you only secure your server connect actions. So that only logged in users can call them.
Interesting idea thanks, I just uploaded all again but it’s still not working.
It is not a (native) mobile app. It is a website, which I can log out from desktop, but can do so on mobile (safari or chrome).
So how do you determine that the user is stil logged in after a logout?
I can still browse to restricted pages like user’s own dashboard or account page, plus I have an avatar 
along with user name displayed in the menu when logged in. Still there when I log out, in mobile view.
All works fine on desktop.
Are you re-running the query that holds the user data after logout (usually as an on done dynamic event of the logout SC) and does the API file have a security restrict step at the start?
On the page, do you use Security Restrictions?
Yes, all concerned pages with limited access have restrictions:
I really don’t understand the question and the purpose / logic. The log out on desktop works well. Is there any extensive tutorial on the security restrict step?
Each of my pages run a few different API files. Index is public so data fetched by API is basic/public. Does it need a security restrict? What is the purpose of this step (since we have a security enforcer on each page)?
This data must come from somewhere - is the query that provides this being re-run after logout? If so, if it has a security restrict step, it should be ‘unauthorized’ in dev tools. This should indicate whether the logout step is not working as intended or whether it may be cacheing or something else…
