Symfony2 how to invalidate all the session attributes

Question

In my Symfony2 project i have a logout button which redirect to the index page but when i click the Login button it connects directly without asking me for user and password.

how can i validate all session attributes, so if i login again it should ask me for user and password

this is my logout Action:

public function logoutAction(Request $request)
    {    
        $this->get('security.context')->setToken(null);
        $this->get('request')->getSession()->invalidate();

        $url = $this->generateUrl('my_route');
        $response = new RedirectResponse($url);
        $response->headers->clearCookie('PHPSESSID');
        $response->send();
        return $response;
    }

here's the security.yml:

security:

    encoders:
        Envivio\UserBundle\Entity\User: sha512

    role_hierarchy:
        ROLE_USER:        ROLE_USER
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]

    providers:        
        mine:
            id: ib_user.oauth_user_provider

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false        

        main:
            anonymous: true
            pattern: ^/
            oauth:
                resource_owners:
                    salesforce: "/login/check-salesforce"
                login_path:   /login
                #use_forward:  false
                failure_path: /login
                default_target_path: /upload
                oauth_user_provider:
                    service: ib_user.oauth_user_provider                
            remember_me:
                key:     "%secret%"


    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }       
        - { path: ^/admin, role: ROLE_ADMIN }

is your logout action route matches with your firewall pattern ? — M Khalid Junaid, Apr 27 '15 at 09:12
check what do you still have inside your session parameters ? — Nawfal Serrar, Apr 27 '15 at 10:36

score 2 · Answer 1 · edited Jun 20 '20 at 09:12

2

You can try :

$this->get('session')->clear();

or

$session = $this->get('session');
$ses_vars = $session->all();
foreach ($var as $key => $value) {
    $session->remove($key);
}

It may also be a cookie problem check your cookies in the response->headers then try clearing it with that function :

http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/ResponseHeaderBag.html#method_clearCookie

Edit :

Since you have remember me enabledyou need to clear that cookie too otherwise the next request you do will reauthenticate the user, you can specify a name for the cookie :

  #security.yml
    
    remember_me:
             name: "%session.remember_me.name%"

add in parameters.yml the name of the cookie

parameters:
    session.remember_me.name: EXTSESS

then in your controller logout action :

$response = $this->redirectToRoute('homepageroute'); //redirect prepare the route to redirect
$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
$remember_sess_name = $this->container->getParameter('session.remember_me.name');

$response->headers->clearCookie($remember_sess_name);

return $response;

it should work now. if this doesn't then ALT+F4 :D

edited Jun 20 '20 at 09:12

Community

1
1

answered Apr 27 '15 at 10:42

Nawfal Serrar

2,213
1
14
22

i tried to clear the session with this method `$this->get('request')->cookies->remove("PHPSESSID");` but it's not working, and i tried different method but it doesn't resolve the problem – ihssan Apr 27 '15 at 12:20
did you try what i said? because you say you tried $this->get('request')->cookies->remove("PHPSESSID"); but this is not what i recommanded, you also may have a problem in your configuration, try to look for something missing or a typo , edit your question with the security yml also – Nawfal Serrar Apr 27 '15 at 14:39
the answer is edited. i tried all you told me but it doesn't work – ihssan Apr 27 '15 at 14:45
what do you still have in your session after clearing it? and also the cookies, what inside? – Nawfal Serrar Apr 27 '15 at 16:13
still not working, i also tried to disable `remember_me` in `security.yml` but it doesn't work – ihssan Apr 28 '15 at 09:56
var dump your cookies and session to see what is it still inside related with auths – Nawfal Serrar Apr 28 '15 at 10:02
i did it and all the attribute of session was cleared but the cookies still has this value : `["PHPSESSID"]=> string(26) "tla1knj605s4klg5lm9md5ve13"` – ihssan Apr 28 '15 at 11:25
i cleared the cookie by this function and it's still not working: `$response->headers->clearCookie('PHPSESSID');` – ihssan Apr 28 '15 at 11:43
and you use that response as a return ? – Nawfal Serrar Apr 28 '15 at 13:06
yes i used `RedirectResponse` object : i edited my `logoutAction` – ihssan Apr 28 '15 at 13:44
btw you will always have a session even for anonymous users so clearing it will just create another one so it will never really be removed, your problem is somewhere else... are you using some kind of http login ? your browser may keep your username and password and every request it log you in automatically , test this using private browsing or some other browser which you didnt use before – Nawfal Serrar Apr 28 '15 at 15:28
i tried another web browser and i have the same result – ihssan Apr 29 '15 at 11:26
try to review your configuration, i never had this problem before normally it should be working... otherwise try to post your issue in symfony's github you may get more help – Nawfal Serrar Apr 29 '15 at 13:41

score 0 · Answer 2 · answered Apr 27 '15 at 09:17

0

You don't need to do it manually. The Symfony2 firewall can perform a logout like this:

# app/config/security.yml
security:
    firewalls:
        secured_area:
            # ...
            logout:
                path:   /logout
                target: /
    # ...
Next, you'll need to create a route for this URL (but not a controller):
# app/config/routing.yml
logout:
    path:   /logout
And that's it! By sending a user to /logout (or whatever you configure the path to be), Symfony will un-authenticate the current user.

Once the user has been logged out, they will be redirected to whatever path is defined by the target parameter above (e.g. the homepage).

Link to the related doc: http://symfony.com/doc/current/book/security.html#logout

answered Apr 27 '15 at 09:17

Alessandro Lai

2,254
2
24
32

but the `route` that i want to redirect after `logout ` is `my_home_page` and it has 2 `parameters`, how can i set parameters in `target path` ? – ihssan Apr 27 '15 at 09:26
2

You can't at least not easily. Either build a new route `after_logout` and redirect to the route you want the user to land after logout or use a [custom logout handler](http://stackoverflow.com/a/21835783/1847340) – ferdynator Apr 27 '15 at 09:49
1

Or you can set 2 default values on that route, if it's feasible. – Alessandro Lai Apr 27 '15 at 09:59
it's not possible, the parameters will change, it should be general – ihssan Apr 27 '15 at 10:06
@ihssan so use an 'after-logout' redirect as suggested by ferdynator – Alessandro Lai Apr 27 '15 at 10:37

Symfony2 how to invalidate all the session attributes

2 Answers2

Edit :