Comments on: Symfony security, sessions not cleared when logging out

By: Richard

Richard — Wed, 03 Feb 2010 09:52:09 +0000

When I clicked on logout and if I go “Back” with Browser Back button, then inside page is coming again. Is there any way to stop showing inside page? once user clicked on logout.

By: zairo

zairo — Thu, 12 Feb 2009 09:13:24 +0000

Mr Bart, your idea rock! Thank a lot. Now my session is totally clear after logout.

By: Bart

Bart — Thu, 22 Jan 2009 19:34:04 +0000

Just a reminder that session values in Symfony can be stored in both a parameter holder and an attribute holder.

So, while regenerating the session is the safest way to go, if you have to keep the session but need to remove any Symfony values be certain to clear them both.

$this->getUser()->getParameterHolder()->clear();
$this->getUser()->getAttributeHolder()->clear();

Thanks for the blog clearing this up!

By: Russ

Russ — Wed, 26 Nov 2008 16:02:50 +0000

Thomas: From a PHP security perspective, it is better not to just rely on clearing the Symfony attributes – totally regenerating the session is the safest way to go.

Zairo: You should not be editing the plugin, if you need to override some of the functionality you should override the class in your own workspace.

You should check that the file that you are editing is actually the one that Symfony is loading – put die(“hello world”); in there or something and click logout, just to see if you are actually having any effect at all.

By: zairo

zairo — Wed, 26 Nov 2008 15:41:08 +0000

hi. I try all the suggestions but to no avail. Please help me.

prjname/plugins/sfGuardPlugin/modules/sfGuardAuth/lib/BasessfGuardAuthActions.class.php:

public function executeSignout()

{
$this->getUser()->clearCredentials();

$this->getUser()->setAuthenticated(false);
$this->getUser()->getAttributeHolder()->remove(‘referer’); $this->getUser()->getParameterHolder()->removeNamespace(‘referer’);
$this->getUser()->getParameterHolder()->clear();
..
}

By: Thomas Boerger

Thomas Boerger — Wed, 26 Nov 2008 15:20:22 +0000

And if you really want to clear everything that is on session write something like the following to your action:

$this->getUser()->getParameterHolder()->clear()

This call clears everything you have set on $this->getUser()->setParameter(‘foo’, ‘bar’)

By: Thomas Boerger

Thomas Boerger — Wed, 26 Nov 2008 15:04:50 +0000

You never got to manipuilate the session directly.

You’ve got to add session vars with $this->getUser()->setAttribute(‘varname’, ‘varvalue’, ‘yourNamespaceForVars’);

So if you are logging out you got to remove the namespace only and everything is fine.

$this->getUser()->getParameterHolder()->removeNamespace(‘yourNamespaceForVars’)

Kind regards,
Thomas Boerger

By: The Codebelay Blog » Installing sfGuardPlugin in symfony 1.1 — A Guide for the Perplexed

Mon, 18 Aug 2008 18:39:04 +0000

[...] symfony 1.1 has a signout bug, where sessions are not entirely cleared. Thanks to this blog post, I was able to hack something [...]

By: rpsblog.com » A week of symfony #84 (4->10 august 2008)

rpsblog.com » A week of symfony #84 (4->10 august 2008) — Sun, 10 Aug 2008 22:33:51 +0000

[...] Symfony security, sessions not cleared when logging out [...]

By: Russ

Russ — Tue, 05 Aug 2008 08:16:54 +0000

That’s true, I can imagine there are some cases where you’d want some session values to be remembered even after the user logs out – but then I guess it’s easy enough to reload the required data into the new session, or even just use some additional cookies.

Comments on: Symfony security, sessions not cleared when logging out

By: Richard

By: zairo

By: Bart

By: Russ

By: zairo

By: Thomas Boerger

By: Thomas Boerger

By: The Codebelay Blog » Installing sfGuardPlugin in symfony 1.1 — A Guide for the Perplexed

By: rpsblog.com » A week of symfony #84 (4-&gt;10 august 2008)

By: Russ

By: rpsblog.com » A week of symfony #84 (4->10 august 2008)