Logout does not destroy/clear session properly in FOSUserBundle

Question

I'm having some problems, don't know why, when I logout from my application which is handled by FOSUserBundle since current session is never destroyed or even clear which is causing issues when I login back cause I store some data on session. This is how my security.yml looks like:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_USER: ROLE_USER
        ROLE_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                login_path:  /login
                check_path:  /login_check
                default_target_path: home
                always_use_default_target_path: true
            logout:
                 path: fos_user_security_logout
                 target: /
                 invalidate_session: false
            anonymous: ~

    access_control:
        ...    

And this is how the session keys are configured at config.yml:

session:
    # handler_id set to null will use default session handler from php.ini
    handler_id:  ~
    cookie_lifetime: 86400
    gc_maxlifetime: 600 # session will expire after 10 minutes of inactivity
    gc_probability: 1
    gc_divisor: 1

I'm missing something else here?

As a second part of this question I have a big doubt since this is something new to me and it's related to how garbage collection works in Symfony2? I was reading docs around it but is not clear to me and also I don't know if this is the cause because session isn't destroyed properly when I logout from the application. Any explanation around this? If I'm not mistaken my application will logout users, automatically, when 10 min pass without do nothing, meaning inactivity, I'm right? But how or what the GC part do on this config? I take that configuration from this topic but not understand that one yet.

As an additional note, I'm working with Firefox|Chrome both in private windows so no cache from browser should exists.

Answer 1

invalidate_session option in security.yml file is by default set to true, in your config its false, try to change it to true.

For clarification, here is the code from SecurityExtension.php

if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
    $listener->addMethodCall('addHandler', array(new Reference('security.logout.handler.session')));
}

and 'security.logout.handler.session':

public function logout(Request $request, Response $response, TokenInterface $token)
{
    $request->getSession()->invalidate();
}

....