Sign out link broken on 404 page

Summary

For different organisations, I use different GitLab.com accounts. So I have to switch between the two accounts regularly. For the past few months, when I was logged in with one account and accessed a project from the other account, I got an HTTP 404 "Page Not Found" error with a link at the bottom that says "Sign out and sign in with a different account".

This worked fine for a while, but recently, I can't exactly tell when it started, the link "Sign out and sign in with a different account" no longer works - it produces another HTTP 404 "Page Not Found" error after a HTTP 301 permanent redirect.

I can only sign out when I go to "Home" and then click on my user icon, then select "Sign out". This sign out link still works fine.

Steps to reproduce

• Log into GitLab
• Access a project that you cannot access with your account (or find any other 404 page, e.g. https://gitlab.com/users/sign_out)
• Click on "Sign out and sign in with a different account" on the HTTP 404 page
• You will find yourself on another 404 page with the same issue (e.g. https://gitlab.com/sign_out)

Example Project

https://gitlab.com/users/sign_out

(But not https://gitlab.com/404.html!)

What is the current bug behavior?

The link leads to a 404 page instead of signing the current user out and presenting the user with a form to log in again.

What is the expected correct behavior?

The link should sign the user out and then present the GitLab login page (this worked until not too long ago).

Relevant logs and/or screenshots

HTTP redirect (via Chrome Dev Tools, "Network" tab):

Request URL: https://gitlab.com/users/sign_out
Request Method: GET
Status Code: 301 Moved Permanently
Location: https://gitlab.com/sign_out

Redirect results in HTTP 404 error (via Chrome Dev Tools, "Network" tab):

Request URL: https://gitlab.com/sign_out
Request Method: GET
Status Code: 404 Not Found

Broken link on https://gitlab.com/sign_out

<a rel="nofollow" data-method="post" href="/users/sign_out">Sign out and sign in with a different account</a>

From https://gitlab.com/gitlab-org/gitlab/-/blob/e5ecbae93589d2cf44f8653669ca7e48fd13701f/app/views/errors/_footer.html.haml#L7

%nav
  %ul.error-nav
    %li
      = link_to s_('Nav|Home'), root_path
    %li
      - if current_user
        = link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path, method: :post

Working link on GitLab.com homepage:

<a class="sign-out-link" data-qa-selector="sign_out_link" rel="nofollow" data-method="post" href="/users/sign_out">Sign out</a>

From https://gitlab.com/gitlab-org/gitlab/-/blob/e5ecbae93589d2cf44f8653669ca7e48fd13701f/app/views/layouts/header/_current_user_dropdown.html.haml#L50

  - if current_user_menu?(:sign_out)
    %li.divider
    %li
      = link_to _("Sign out"), destroy_user_session_path, method: :post, class: "sign-out-link", data: { qa_selector: 'sign_out_link' }

Similar issues

I found some issues that might be related to this bug or at least potentially also affected by this bug:

• 404 page should give option to log in (#19731) - this issue could probably be closed, if the link is working again.
• Link to create merge request gives 404 if not logged in (#23097)
• Merge request link displays as 404 when not logged in (#31202)

Output of checks

This bug happens on GitLab.com.

I'm using "GitLab Next", current version 12.7.0-pre (revision: 277d8e90) according to https://gitlab.com/api/v4/version

Results of GitLab environment info

I can't provide environment info for GitLab.com.

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Results of GitLab application Check

I can't provide application check for GitLab.com.

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

First, the link that points to /users/sign_out should be changed to /sign_out to avoid the HTTP 301 permanent redirect. But that would only remove the 301, not the actual bug.

mentioned in issue gitlab-org/quality/triage-reports#7 (closed)

mentioned in issue gitlab-org/quality/triage-reports#8 (closed)

added authentication devopsmanage groupauthentication and authorization [DEPRECATED] severity3 typebug labels

mentioned in issue #206812 (closed)

mentioned in issue #207749 (closed)

Now I've finally looked at the HTTP requests triggered by the two different links in more detail. The main problem is probably that the broken 404 page does not do a POST request to /users/sign_out, while the working link does. It looks like the method: :post in the HAML template is being ignored for that link or has no effect some some reason.

I have replaced potentially sensitive IDs with XXXXX.

Broken link on https://gitlab.com/sign_out

First HTTP Request -> HTTP 301 (Redirect)

Request Headers

GET /users/sign_out HTTP/1.1
Host: gitlab.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://gitlab.com/sign_out
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de-DE;q=0.7,de;q=0.6
Cookie: user_callout_dismissed=true; hide_no_ssh_message=false; issuable_sort=updated_desc; new_nav=true; feature-highlighted-issue-boards=true; _ga=XXXXX; _mkto_trk=id:XXXXX&token:_mch-gitlab.com-XXXXX; issue_sort=updated_desc; diff_view=inline; event_filter=all; gitlab_canary=true; mergerequest_sort=updated_desc; _hjid=XXXXX; experimentation_subject_id=XXXXX; _biz_uid=XXXXX; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%7D; _fbp=XXXXX; _biz_nA=7; _biz_pendingA=%5B%5D; sidebar_collapsed=false; frequently_used_emojis=XXXXX; collapsed_gutter=false; _gitlab_session=XXXXX; _sp_ses.6b85=*; _sp_id.6b85=XXXXX

Response Headers (HTTP 301, Redirect)

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 27 Feb 2020 15:35:46 GMT
Content-Type: text/html
Content-Length: 93
Cache-Control: no-cache
Content-Security-Policy: connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net https://sourcegraph.com https://ec2.ap-east-1.amazonaws.com https://ec2.ap-northeast-1.amazonaws.com https://ec2.ap-northeast-2.amazonaws.com https://ec2.ap-northeast-3.amazonaws.com https://ec2.ap-south-1.amazonaws.com https://ec2.ap-southeast-1.amazonaws.com https://ec2.ap-southeast-2.amazonaws.com https://ec2.ca-central-1.amazonaws.com https://ec2.eu-central-1.amazonaws.com https://ec2.eu-north-1.amazonaws.com https://ec2.eu-west-1.amazonaws.com https://ec2.eu-west-2.amazonaws.com https://ec2.eu-west-3.amazonaws.com https://ec2.me-south-1.amazonaws.com https://ec2.sa-east-1.amazonaws.com https://ec2.us-east-1.amazonaws.com https://ec2.us-east-2.amazonaws.com https://ec2.us-west-1.amazonaws.com https://ec2.us-west-2.amazonaws.com https://iam.amazonaws.com; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://*.codesandbox.io; img-src * data: blob:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com 'nonce-XXXXX'; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob:
Location: https://gitlab.com/sign_out
X-Request-Id: XXXXX
X-Runtime: 0.023369
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
GitLab-LB: fe-21-lb-gprd
GitLab-SV: web-02-sv-gprd

Second HTTP Request -> HTTP Error 404

GET /sign_out HTTP/1.1
Host: gitlab.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://gitlab.com/sign_out
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de-DE;q=0.7,de;q=0.6
Cookie: user_callout_dismissed=true; hide_no_ssh_message=false; issuable_sort=updated_desc; new_nav=true; feature-highlighted-issue-boards=true; _ga=XXXXX; _mkto_trk=id:XXXXX&token:XXXXX; issue_sort=updated_desc; diff_view=inline; event_filter=all; gitlab_canary=true; mergerequest_sort=updated_desc; _hjid=XXXXX; experimentation_subject_id=XXXXX; _biz_uid=XXXXX; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%7D; _fbp=XXXXX; _biz_nA=7; _biz_pendingA=%5B%5D; sidebar_collapsed=false; frequently_used_emojis=XXXXX; collapsed_gutter=false; _gitlab_session=XXXXX; _sp_ses.6b85=*; _sp_id.6b85=XXXXX

Working link on https://gitlab.com/

HTTP Request -> HTTP 302

POST /users/sign_out HTTP/1.1
Host: gitlab.com
Connection: keep-alive
Content-Length: 128
Pragma: no-cache
Cache-Control: no-cache
Origin: https://gitlab.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://gitlab.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de-DE;q=0.7,de;q=0.6
Cookie: user_callout_dismissed=true; hide_no_ssh_message=false; issuable_sort=updated_desc; new_nav=true; feature-highlighted-issue-boards=true; _ga=XXXXX; _mkto_trk=id:XXXXX&token:XXXXX; issue_sort=updated_desc; diff_view=inline; event_filter=all; gitlab_canary=true; mergerequest_sort=updated_desc; _hjid=XXXXX; experimentation_subject_id=XXXXX; _biz_uid=XXXXX; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%7D; _fbp=XXXXX; _biz_nA=7; _biz_pendingA=%5B%5D; sidebar_collapsed=false; frequently_used_emojis=XXXXX; collapsed_gutter=false; _gitlab_session=XXXXX; _sp_ses.6b85=*; _sp_id.6b85=XXXXX

HTTP Response (HTTP 302)

HTTP/1.1 302 Found
Server: nginx
Date: Thu, 27 Feb 2020 15:36:08 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 98
Cache-Control: max-age=0, private, must-revalidate, no-store
Content-Security-Policy: connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net https://sourcegraph.com https://ec2.ap-east-1.amazonaws.com https://ec2.ap-northeast-1.amazonaws.com https://ec2.ap-northeast-2.amazonaws.com https://ec2.ap-northeast-3.amazonaws.com https://ec2.ap-south-1.amazonaws.com https://ec2.ap-southeast-1.amazonaws.com https://ec2.ap-southeast-2.amazonaws.com https://ec2.ca-central-1.amazonaws.com https://ec2.eu-central-1.amazonaws.com https://ec2.eu-north-1.amazonaws.com https://ec2.eu-west-1.amazonaws.com https://ec2.eu-west-2.amazonaws.com https://ec2.eu-west-3.amazonaws.com https://ec2.me-south-1.amazonaws.com https://ec2.sa-east-1.amazonaws.com https://ec2.us-east-1.amazonaws.com https://ec2.us-east-2.amazonaws.com https://ec2.us-west-1.amazonaws.com https://ec2.us-west-2.amazonaws.com https://iam.amazonaws.com; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://*.codesandbox.io; img-src * data: blob:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com 'nonce-XXXXX'; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob:
Location: https://gitlab.com/users/sign_in
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: _gitlab_session=XXXXX; path=/; expires=Thu, 27 Feb 2020 17:36:08 -0000; secure; HttpOnly
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: RiEVaPmbzl3
X-Runtime: 0.097096
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
GitLab-LB: fe-24-lb-gprd
GitLab-SV: web-24-sv-gprd

mentioned in issue #208611 (closed)

mentioned in issue #209696 (closed)

mentioned in issue #212096 (closed)

mentioned in issue #212789 (closed)

mentioned in issue #212802 (closed)

mentioned in issue #213477 (closed)

added sectiondev label

Is there any update on this issue? this is a very major issue actually, and your own development team has also used the same link in 404 pages; which means, it's not just us the mortal people who are experiencing this issue! I am not sure why signing out a user requires post even though there is technically nothing sent and for ReSTfulness purposes it's also not necessary to post to logout!

I'm experiencing the same issue on a self-managed instance of GitLab

added vintage label

Hi @goetz ,

Thanks for raising this bug.

Contributions like this are vital to help make GitLab a better product.

We would be grateful for your help in verifying whether your bug report requires further attention from the team. If you think this bug still exists, and is reproducible with the latest stable version of GitLab, please comment on this issue.

This issue has been inactive for more than 12 months now and based on the policy for inactive bugs, will be closed in 7 days.

Thanks for your contributions to make GitLab better!

added stale label

Hi @goetz ,

Based on the policy for inactive bugs, this issue is now being closed.

If you think this bug still exists, and is reproducible with the latest stable version of GitLab, please reopen this issue.

Thanks for your contributions to make GitLab better!

closed

added auto closed label

Hi, I am still experiencing this issue! Any update on this?

Yep me 2, I can't sign_out atm, because mozilla-django-oidc does a GET request to the logout redirect url.

A little hacky, but what we did was set the sign out URL to be "https://gitlab.example.com/users/sign_in?auto_sign_in=false". That will at least redirect you to a login screen and honor what user you attempt to login with. Do note that if you manually change your URL back to your GitLab instance, it goes back to SSO user. So, not great but works depending on what you're doing. We were just attempting to logout, so that we could login as the root user. So this worked for us.

You can find some more info about that link from here.