Clever Geek Handbook

Logging out does not destroy / clear the session as expected in the FOSUserBundle

I am having some problems, not sure why, when I log out of my application, which is being handled by the FOSUserBundle, since the current session is never destroyed or even cleared, which causes problems when logging in because I am storing some data per session. This is what mine looks like security.yml

:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_USER: ROLE_USER
        ROLE_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                login_path:  /login
                check_path:  /login_check
                default_target_path: home
                always_use_default_target_path: true
            logout:
                 path: fos_user_security_logout
                 target: /
                 invalidate_session: false
            anonymous: ~

    access_control:
        ...

And this is how the keys are session

configured to config.yml

:

session:
    # handler_id set to null will use default session handler from php.ini
    handler_id:  ~
    cookie_lifetime: 86400
    gc_maxlifetime: 600 # session will expire after 10 minutes of inactivity
    gc_probability: 1
    gc_divisor: 1

Am I missing something here?

As the second part of this question, I have big doubts as this is something new to me and is it related to how garbage collection works in Symfony2? I have read the docs around it but it is not clear to me and I do not know if this is the reason because the session is not destroyed correctly when I exit the application. Any explanation around this? If I am not mistaken, my application will automatically log out when 10 minutes have passed without doing anything, which means inactivity , am I right? But how and what does GC do for this configuration? I am taking this config from this thread, but don't understand it yet.

As a side note, I'm working with Firefox | Chrome both in private windows and in the cache from the browser should not be.

+3


source to share


1 answer


invalidate_session

in the security.yml file is set to by default true

, in your config it false

, try changing it to true

.

For clarification, here is the code from SecurityExtension.php 

if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
    $listener->addMethodCall('addHandler', array(new Reference('security.logout.handler.session')));
}


and 'security.logout.handler.session'

:

public function logout(Request $request, Response $response, TokenInterface $token)
{
    $request->getSession()->invalidate();
}

....

+8


source






More articles:


All Articles