0

I've implement the Symfony's security component as following:

$app['security.firewalls'] = array(
    'unsecured_area' => array(
        pattern' => new RequestMatcher('^/log(in|out).*', null, 'GET')
     )
     , 'secured_area' => array(
        'pattern' => '.*',
        'edir' => true,
        'users' => $app['security.user_provider.custom'],
        'switch_user' => array('parameter' => '_switch_user', 'role' => 'ROLE_ALLOWED_TO_SWITCH')
    )
);

When I call the logout route, I just invalidate the session.

As far as I understand the security context is stored into the session, it should be sufficient to logout my user. But he's not logged out.

If I update my firewall putting the logout route into the secured area, the $session->invalidate() works fine and the user is logged out...

Why doesn't it work in unsecured area ? Unsecured area doesn't mean no-session area isn't it?

Fractaliste
  • 5,777
  • 11
  • 42
  • 86
  • 2
    No, the PHP session is present even if you are logged out. Please read first http://symfony.com/doc/current/components/http_foundation/session_configuration.html http://www.w3schools.com/php/php_sessions.asp http://php.net/manual/en/book.session.php – Alessandro Lai Jan 20 '15 at 09:09

1 Answers1

2

Simply but, in an unsecure area, Symfony2 uses what it calls an AnonymousToken, even though it has an active session isn't populated with the user credentials.

Hence, you user cannot be logout as he is not in a login state, the user informations are not in the token or session.

Hope that helps

bluetazmanian
  • 106
  • 4
  • Okay, on logout AnomymousToken is cleared but not AuthenticatedToken one's, because logout url isn't into secured area. I just need to move my logout path into secured area. – Fractaliste Mar 03 '15 at 08:38