I've implement the Symfony's security component as following:
$app['security.firewalls'] = array(
'unsecured_area' => array(
pattern' => new RequestMatcher('^/log(in|out).*', null, 'GET')
)
, 'secured_area' => array(
'pattern' => '.*',
'edir' => true,
'users' => $app['security.user_provider.custom'],
'switch_user' => array('parameter' => '_switch_user', 'role' => 'ROLE_ALLOWED_TO_SWITCH')
)
);
When I call the logout route, I just invalidate the session.
As far as I understand the security context is stored into the session, it should be sufficient to logout my user. But he's not logged out.
If I update my firewall putting the logout route into the secured area, the $session->invalidate()
works fine and the user is logged out...
Why doesn't it work in unsecured area ? Unsecured area doesn't mean no-session area isn't it?