Log user out in Symfony 2 application when "remember me" is enabled

php security symfony authentication logout
Slava Fomin II picture Slava Fomin II · Mar 3, 2015 · Viewed 8k times · Source

I'm looking for a way to log user out of Symfony 2 application, but could not find a way to do it properly.

I've tried an approach described here: Symfony2: how to log user out manually in controller?

$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();

It's working fine when "remember me" is disabled, however, when I enable it, it's not working. It looks like user is automatically re-authenticated back again by this cookie.

remember_me:
    key:      "%secret%"
    lifetime: 31536000
    path:     /
    domain:   ~
    always_remember_me: true

What is the proper way to log user out of Symfony 2 application? Do I need to additionally delete this cookie from server-side?

Answer

Slava Fomin II picture Slava Fomin II · Mar 3, 2015

Thanks to @nifr I was able to resolve this issue. Here's the bulletproof step-by-step guide to log user out of Symfony 2 application manually.

Warning

Symfony already implements the functionality of logging user out and deleting cookies. There is a LogoutListener who delegates those action to couple of logout handlers: CookieClearingLogoutHandler and SessionLogoutHandler. I think the best course of action would be to call those handlers and not to implement such low-level logic yourself. However, I can't find a way to do this.

Solution

This solution is for Symfony 2.6. The difference is in security.token_storage.

  1. Add two additional parameters to store cookie names for «session» and «remember me» to your parameters.yml:
# parameters.yml

parameters:
    session.name: SESS
    session.remember_me.name: LONGSESS
  1. Update your config.yml to use the first parameter for session name:
# config.yml

framework:
    session:
        name: "%session.name%"
  1. Update your security.yml to use the second parameter for remember me session name:
# security.yml

security:
    firewalls:
        demo_secured_area:
            remember_me:
                name: "%session.remember_me.name%"
  1. Here's the code you can use to log current user out:

You can use such code inside of a kernel event listener, if you want so.

// SomeController.php

/**
 * @Route("/terminate", name="app.terminate")
 */
public function terminateAction()
{
    // Logging user out.
    $this->get('security.token_storage')->setToken(null);

    // Invalidating the session.
    $session = $this->get('request')->getSession();
    $session->invalidate();

    // Redirecting user to login page in the end.
    $response = $this->redirectToRoute('app.login');

    // Clearing the cookies.
    $cookieNames = [
        $this->container->getParameter('session.name'),
        $this->container->getParameter('session.remember_me.name'),
    ];
    foreach ($cookieNames as $cookieName) {
        $response->headers->clearCookie($cookieName);
    }

    return $response;
}

Here's the implementation of kernel event listener which will force users to log out basing on entity property: Logging user out of Symfony 2 application using kernel event listener.

I hope it helps.

Related questions

Symfony security return 401 response instead of redirect

I'm writing an ajax application with ajax authentication and now I started using the symfony security component in silex to handle authentication/authorization. Doing a simple test with a simple configuration, I go to a protected area by the firewall …

Read More
Symfony granting path access to multiple roles in security.yml

Hi I would like to be able to allow access to a path in security.yml based on the user either having ROLE_TEACHER, or ROLE_ADMIN. According to the question in Multiple roles required for same url in symfony 2 …

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More