Symfony 2 Logout

6
votes

this is my first Symfony 2 application and i am trying to logout the currently logged in user.

This is my app/config/security.yml

security:
encoders:
    Symfony\Component\Security\Core\User\User: plaintext

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

providers:
    in_memory:
        memory:
            users:
                user0:  { password: user0, roles: [ 'ROLE_ADMIN' ] }
                user1:  { password: user1, roles: [ 'ROLE_SUPER_ADMIN' ] }

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    login:
        pattern:  ^/demo/secured/login$
        security: false

    secured_area:
        pattern: ^/
        logout: ~
        anonymous: ~
        http_basic:
            realm: "Secured Area"

access_control:
    - { path: ^/question/*, roles: ROLE_ADMIN }
    - { path: ^/questiongroup/*, roles: ROLE_ADMIN }
    - { path: ^/answer/*, roles: ROLE_ADMIN }
    - { path: ^/newslettertemplate/*, roles: ROLE_ADMIN }
    - { path: ^/customer/*, roles: ROLE_SUPER_ADMIN }
    - { path: ^/statistics/*, roles: ROLE_SUPER_ADMIN }

I have created the logout entry in the routing.yml as described in the symfony security documentation:

logout:
    path:   /logout

When i create a link to the "logout" i do get redirected to the "/" which is ok. But the user still is authenticated, means the actual logout did not work.

3
phpsymfony

3 Answers

11
votes

It doesn't work with HTTP Basic Authentication because the browser remembers your credentials and sends them with each request. You can do nothing about this on the server side.

I believe eventually you're going to switch to the form based login. The logout feature will work like it's supposed to when you do.

5
votes

Just use this in security.yml

logout:
      path:   /logout
      invalidate_session: false
0
votes

If like me you are a rookie at symfony and couldnt make the others logout solutions work (i suppose i missed some config subtilities), there is a non academic, but functional solution:

when you use form based login you just have to send undefined login and password to the 'login_check' route.

ex : login='*' password=''

with a button in a template :

<form action="{{ url('login_check') }}" method="post">
    <input type="text" name="_username" value="*" style="display:none;" />
    <input type="password" name="_password" style="display:none;" />
    <button type="submit">log out</button>
</form>

by rendering a 'logout' template from a Controller :

<script>
    window.addEventListener("load",function(){
        document.getElementById("logout_form").submit();
    });
</script>
<form action="{{ url('login_check') }}" method="post" id="logout_form">
    <input type="text" name="_username" value="*" style="display:none;" />
    <input type="password" name="_password" style="display:none;" />
</form>