Logging out does not destroy / clear the session as expected in the FOSUserBundle
I am having some problems, not sure why, when I log out of my application, which is being handled by the FOSUserBundle, since the current session is never destroyed or even cleared, which causes problems when logging in because I am storing some data per session. This is what mine looks like security.yml
:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
default_target_path: home
always_use_default_target_path: true
logout:
path: fos_user_security_logout
target: /
invalidate_session: false
anonymous: ~
access_control:
...
And this is how the keys are session
configured to config.yml
:
session:
# handler_id set to null will use default session handler from php.ini
handler_id: ~
cookie_lifetime: 86400
gc_maxlifetime: 600 # session will expire after 10 minutes of inactivity
gc_probability: 1
gc_divisor: 1
Am I missing something here?
As the second part of this question, I have big doubts as this is something new to me and is it related to how garbage collection works in Symfony2? I have read the docs around it but it is not clear to me and I do not know if this is the reason because the session is not destroyed correctly when I exit the application. Any explanation around this? If I am not mistaken, my application will automatically log out when 10 minutes have passed without doing anything, which means inactivity , am I right? But how and what does GC do for this configuration? I am taking this config from this thread, but don't understand it yet.
As a side note, I'm working with Firefox | Chrome both in private windows and in the cache from the browser should not be.
source to share
invalidate_session
in the security.yml file is set to by default true
, in your config it false
, try changing it to true
.
For clarification, here is the code from SecurityExtension.php
if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
$listener->addMethodCall('addHandler', array(new Reference('security.logout.handler.session')));
}
and 'security.logout.handler.session'
:
public function logout(Request $request, Response $response, TokenInterface $token)
{
$request->getSession()->invalidate();
}
....
source to share