Cakephp does not expire page after logout

Question

I am learning cakePHP, I have written the example of the manual, the problem is with the method logout of the UsersController, when I press the link logout the application is redirected to the login form, but the back button of the browser allows to return to a page that requires an authenticated user, an example about of this occurs with the page to add posts

Source Code

UsersController.php

<?php

class UsersController extends AppController {

    public function beforeFilter() {
        parent::beforeFilter();
// Allow users to register and logout.
        $this->Auth->allow('add', 'logout');
    }


    public function add() {
        if ($this->request->is('post')) {
            $this->User->create();
            if ($this->User->save($this->request->data)) {
                $this->Session->setFlash(__('The user has been saved'));
                return $this->redirect(array('action' => 'index'));
            }
            $this->Session->setFlash(
                    __('The user could not be saved. Please, try again.')
            );
        }
    }

    public function edit($id = null) {
        $this->User->id = $id;
        if (!$this->User->exists()) {
            throw new NotFoundException(__('Invalid user'));
        }
        if ($this->request->is('post') || $this->request->is('put')) {
            if ($this->User->save($this->request->data)) {
                $this->Session->setFlash(__('The user has been saved'));
                return $this->redirect(array('action' => 'index'));
            }
            $this->Session->setFlash(
                    __('The user could not be saved. Please, try again.')
            );
        } else {
            $this->request->data = $this->User->read(null, $id);
            unset($this->request->data['User']['password']);
        }
    }

    public function delete($id = null) {
        $this->request->onlyAllow('post');
        $this->User->id = $id;
        if (!$this->User->exists()) {
            throw new NotFoundException(__('Invalid user'));
        }
        if ($this->User->delete()) {
            $this->Session->setFlash(__('User deleted'));
            return $this->redirect(array('action' => 'index'));
        }
        $this->Session->setFlash(__('User was not deleted'));
        return $this->redirect(array('action' => 'index'));
    }

    public function login() {
        //$this->layout=null;
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                $this->Session->write('userid',$this->Auth->user('id'));
                //$this->Session->write('userid',AuthComponent::user('id'));
                return $this->redirect($this->Auth->redirect());
            }
            $this->Session->setFlash(__('Invalid username or password, try again'));
        }
    }

    public function logout() {
        $this->Session->delete('userid');
        $this->Session->destroy();
        return $this->redirect($this->Auth->logout());
    }

}

?>

PostsController.php

<?php

class PostsController extends AppController {

    public $helpers = array('Html', 'Form');

    public function isAuthorized($user) {
// All registered users can add posts
        if ($this->action === 'add') {
            return true;
        }
// The owner of a post can edit and delete it
        if (in_array($this->action, array('edit', 'delete'))) {
            $postId = (int) $this->request->params['pass'][0];
            if ($this->Post->isOwnedBy($postId, $user['id'])) {
                return true;
            }
        }
        return parent::isAuthorized($user);
    }

    public function index() {
        if ($this->Session->read('userid')) {
            $this->set('posts', $this->Post->find('all', array('conditions' => array('Post.user_id' => AuthComponent::user('id')))));
        } else {
            $this->set('posts', $this->Post->find('all'));
        }
    }

    public function view($id = null) {
        if (!$id) {
            throw new NotFoundException(__('Invalid post'));
        }
        $post = $this->Post->findById($id);
        if (!$post) {
            throw new NotFoundException(__('Invalid post'));
        }
        $this->set('post', $post);
    }

    public function add() {
    if ($this->Auth->loggedIn()) {
        if ($this->request->is('post')) {
            $this->request->data['Post']['user_id'] = $this->Auth->user('id');
            $this->Post->create();
            if ($this->Post->save($this->request->data)) {
                $this->Session->setFlash(__('Your post has been saved.'));
                return $this->redirect(array('action' => 'index'));
            }
            $this->Session->setFlash(__('Unable to add your post.'));
        }
    } else {
        return $this->redirect(array('controller' => 'users', 'action' => 'login'));
    }
}

    public function edit($id = null) {
        if (!$id) {
            throw new NotFoundException(__('Invalid post'));
        }
        $post = $this->Post->findById($id);
        if (!$post) {
            throw new NotFoundException(__('Invalid post'));
        }
        if ($this->request->is(array('post', 'put'))) {
            $this->Post->id = $id;
            if ($this->Post->save($this->request->data)) {
                $this->Session->setFlash(__('Your post has been updated.'));
                return $this->redirect(array('action' => 'index'));
            }
            $this->Session->setFlash(__('Unable to update your post.'));
        }
        if (!$this->request->data) {
            $this->request->data = $post;
        }
    }

    public function delete($id) {
        if ($this->request->is('get')) {
            throw new MethodNotAllowedException();
        }
        if ($this->Post->delete($id)) {
            $this->Session->setFlash(
                    __('The post with id: %s has been deleted.', h($id))
            );
            return $this->redirect(array('action' => 'index'));
        }
    }

}

?>

AppController.php

<?php
App::uses('Controller', 'Controller');

/**
 * Application Controller
 *
 * Add your application-wide methods in the class below, your controllers
 * will inherit them.
 *
 * @package     app.Controller
 * @link        http://book.cakephp.org/2.0/en/controllers.html#the-app-controller
 */
class AppController extends Controller {

    public $components = array(
        'Session',
        'Auth' => array(
            'loginRedirect' => array('controller' => 'posts', 'action' => 'index'),
            'logoutRedirect' => array('controller' => 'users','action' => 'login'),
            'authorize' => array('Controller') // Added this line
        )
    );

    public function isAuthorized($user) {
// Admin can access every action
        if (isset($user['role']) && $user['role'] === 'admin') {
            return true;
        }
// Default deny
        return false;
    }

    public function beforeFilter() {
        $this->Auth->allow('index','view','login','helloajax');
    }

}

?>

score 0 · Answer 1 · answered Oct 30 '14 at 05:29

please check beforeFilter function from your AppController

you have explicitly allowed some action through AuthComponent

public function beforeFilter() {
    $this->Auth->allow('index','view','login','helloajax');
}

Please verify actions you want to allow for unauthenticated visitor.

Since AppController is extended by every single controller in cakephp. Which turn out to like you are allowing unauthenticated users to access your index,view,login etc actions for every single controller you have created or will create.

yes, you are right, but the problem is that the back button of the browser allows to return to an action that requires authentication. For example this occurs with the action Add of PostsController that requires authentication. — Alexander Ceballos, Oct 30 '14 at 14:56

Cakephp does not expire page after logout

1 Answers1