I'm looking for a way to log user out of Symfony 2 application, but could not find a way to do it properly.
I've tried an approach described here: Symfony2: how to log user out manually in controller?
$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
It's working fine when "remember me" is disabled, however, when I enable it, it's not working. It looks like user is automatically re-authenticated back again by this cookie.
remember_me:
key: "%secret%"
lifetime: 31536000
path: /
domain: ~
always_remember_me: true
What is the proper way to log user out of Symfony 2 application? Do I need to additionally delete this cookie from server-side?
Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically.
Create a login form that has two input elements for entering username and password, a submit button, and a checkbox for Remember me. encryptCookie() – This function takes a single parameter. Generate random key and assign to $key.
You may have to call the session-storage's save()
(Documentation) method explicitly.
Force the session to be saved and closed.
Further you can request to delete the session- and/or remember_me-cookies via response headers.
The session-cookie's name is configured as the container-parameter framework.session.name
and defaults to the session.name
value from your php.ini.
$cookieName = $this->container->getParameter('framework.session.name');
$response->headers->clearCookie( $cookieName );
The remember_me-cookie's name can be configured in your security
configuration.
security:
firewalls:
your_firewall:
remember_me:
name: neverforget # <- cookie-name
Thanks to @nifr I was able to resolve this issue. Here's the bulletproof step-by-step guide to log user out of Symfony 2 application manually.
Symfony already implements the functionality of logging user out and deleting cookies. There is a LogoutListener
who delegates those action to couple of logout handlers: CookieClearingLogoutHandler
and SessionLogoutHandler
. I think the best course of action would be to call those handlers and not to implement such low-level logic yourself. However, I can't find a way to do this.
This solution is for Symfony 2.6. The difference is in security.token_storage
.
parameters.yml
:# parameters.yml
parameters:
session.name: SESS
session.remember_me.name: LONGSESS
config.yml
to use the first parameter for session name:# config.yml
framework:
session:
name: "%session.name%"
security.yml
to use the second parameter for remember me session name:# security.yml
security:
firewalls:
demo_secured_area:
remember_me:
name: "%session.remember_me.name%"
You can use such code inside of a kernel event listener, if you want so.
// SomeController.php
/**
* @Route("/terminate", name="app.terminate")
*/
public function terminateAction()
{
// Logging user out.
$this->get('security.token_storage')->setToken(null);
// Invalidating the session.
$session = $this->get('request')->getSession();
$session->invalidate();
// Redirecting user to login page in the end.
$response = $this->redirectToRoute('app.login');
// Clearing the cookies.
$cookieNames = [
$this->container->getParameter('session.name'),
$this->container->getParameter('session.remember_me.name'),
];
foreach ($cookieNames as $cookieName) {
$response->headers->clearCookie($cookieName);
}
return $response;
}
Here's the implementation of kernel event listener which will force users to log out basing on entity property: Logging user out of Symfony 2 application using kernel event listener.
I hope it helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With