Symfony security, sessions not cleared when logging out
I’m not sure if this will be covered in 1.1 (maybe someone can shed some light on it?) but currently when you logout using sfGuardAuth standard functionality, the session is not cleared/destroyed.
This only came to light recently, when I was scratching my head over why a parameter I had set was still available in the $sf_params array even after logging out, and logging back in again as a different user. This threw up an interesting security issue, because I started to wonder if I’d set any admin specific parameters elsewhere which could be reused by another user on the same machine.
The fix is fairly straightforward, but can only be run when not in test mode, because sfBrowser does not like the session to be destroyed! Maybe this is why it has never been written into the core functionality?
In apps/yourapp/modules/sfGuardAuth/actions/actions.class.php
public function executeSignout() { if (sfConfig::get('sf_environment') != 'test') { session_destroy(); session_write_close(); session_regenerate_id(); } parent::executeSignout(); }
Adding the parent::executeSignout() line means that you can let the sfGuard plugin do the remainder of the work for you, so rather than overriding the function, you are just adding a bit to the start of it.
This is good as long as there are no other values unrelated to sfGuardAuth in the session that you may need later.
That’s true, I can imagine there are some cases where you’d want some session values to be remembered even after the user logs out - but then I guess it’s easy enough to reload the required data into the new session, or even just use some additional cookies.
[...] Symfony security, sessions not cleared when logging out [...]
[...] symfony 1.1 has a signout bug, where sessions are not entirely cleared. Thanks to this blog post, I was able to hack something [...]