7

Whenever I go to /admin/logout, I'm correctly redirected to the root of my project but still logged in when I visit /admin/ as I'm not prompted for credentials.

Here is my configuration:

security.yml

security:
    firewalls:
        admin_area:
            pattern:    ^/admin
            http_basic: ~
            stateless:  true
            switch_user: { role: ROLE_SUPER_ADMIN, parameter: _want_to_be_this_user }
            logout: { path: /admin/logout, target: / }

AdminBundle/Resources/config/routing.yml

logout:
    pattern:   /logout

app/config/routing.yml

admin:
    resource: "@AdminBundle/Resources/config/routing.yml"
    prefix:   /admin

The authorization is still in place as the headers state Authorization:Basic YWRtaW46cEAkJHcwUmQh so I guess credentials are still provided to the application during the request.

I know there is no proper way to logout from a HTTP Basic Auth as per this question but maybe Symfony2 allows it?

D4V1D
  • 5,805
  • 3
  • 30
  • 65
  • 1
    possible duplicate of [Symfony2 http\_basic security configuration problem](http://stackoverflow.com/questions/5989201/symfony2-http-basic-security-configuration-problem) – Darragh Enright Mar 24 '15 at 09:38
  • try to change your logout pattern to `/admin/logout` so it is under a firewall also you can check if you havent checked `remember me` - try to remove cookies then login and logout – vardius Mar 24 '15 at 09:58
  • Thanks @Vardius for your comment but my pattern is **already** `/admin/logout` as I'm correctly redirected. Also, I haven't implemented the option `remember_me` (yet). – D4V1D Mar 24 '15 at 10:20
  • here in your post i can see that the logout in your `routing.yml` is not under the firewall. try to change that and then istead of patterns in your `security.yml` try to use route names as `logout: path: logout....` – vardius Mar 24 '15 at 10:22
  • Actually, my routing `routing.yml` file is under the `AdminBundle` bundle which has its routes imported in `app/config/routing.yml` like so `admin: resource: "@AdminBundle/Resources/config/routing.yml" prefix: /admin` so the pattern of the route is `/admin/logout` so under the firewall. Changing the pattern in `security.yml` for the name of the route did nothing unfortunately (still logged in). Thanks for your help. – D4V1D Mar 24 '15 at 10:28
  • [In_memory style user authentication and authorisation with webform login box](http://www.inanzzz.com/index.php/post/07wr/in-memory-style-user-authentication-and-authorisation-with-webform-login-box) – BentCoder Sep 23 '15 at 08:23

2 Answers2

12

Once logged in via http auth, your browser will cache and add your login credentials to each subsequent request in the form of a header like this:

Authorization:Basic YWRtaW46YWRtaW4=

When you do a logout, the next request to the server will still hold your http credentials and log you in again.

So the trick is to lose the http credentials on the client side after destroying the session on the server side.

In the past there where some hackidy methods like submitting false credentials or some obscure IE method for deleting the cache. But I don't think these methods still work.

What still works ( I tested the following method with symfony 2.7 and google chrome 45 ) is replying to the client with a HTTP 401 unauthorized response.

Check it out:

Add the following to your logout section in the app/config/security.yml file

logout:
    success_handler: logout_listener

To your services configuration app/config/services.yml

logout_listener:
    class: AppBundle\LogoutListener

Then create a listener that responds with HTTP 401 unauthorized

<?php 

namespace AppBundle;

use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;

class LogoutListener implements  LogoutSuccessHandlerInterface 
{
    public function onLogoutSuccess(Request $request) 
    {
        return new Response('', 401);
    }
}

After logging out your app will send a 401 to the browser which will think authentication has failed resulting in the auth cache being cleared ( who wants to remember faulty credentials anyway right ) and prompt for your credentials again

Niki Van Cleemput
  • 151
  • 1
  • 7
  • However, bouncing to `http://logout@www.yourdomain.com/your/page` does work (i.e. trying to login with fake credentials in the URL). Not sure why this clears the cached authentication but a simple 401 response does not, but there you go. – caponica Aug 03 '16 at 21:47
  • 1
    Just tried the "logout@" trick on Chromium 56, it does not work – Massimiliano Arione Mar 06 '17 at 10:14
0

The answer of @Niki Van Cleemput doesn't seem to work in all cases. When I tested it, it was OK on Chrome 44 but not on Firefox 48. Here is a solution inspired by HTTP authentication logout via PHP:

The security parameters:

security:
    # ... your encoders, role_hierarchy, providers...
    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            anonymous: ~
            stateless:  true
            http_basic:
                realm: "My admin area"
            # no logout parameter as it is handled manually

    access_control:
        - { path: ^/admin, roles: ROLE_ADMIN }

The controller with the "fake" logout action:

<?php

namespace Me\Bundle\CoreBundle\Controller;

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;

/**
 * Security stuff.
 */
class SecurityController extends Controller
{
    /**
     * Logout confirmation.
     *
     * @Route("/logout", name="logout")
     */
    public function logoutAction()
    {
        return $this->render('@EasyAdmin/default/logout.html.twig'); // change with your template path
    }
}

In your layout:

<script type="text/javascript">
    function logout() {
        var xmlhttp;
        if (window.XMLHttpRequest) {
            xmlhttp = new XMLHttpRequest();
        }
        // code for IE
        else if (window.ActiveXObject) {
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        if (window.ActiveXObject) {
            // IE clear HTTP Authentication
            document.execCommand("ClearAuthenticationCache");
            window.location.href='{{ path('logout') }}';
        } else {
            xmlhttp.open("GET", '{{ path('easyadmin') }}', true, "logout", "logout");
            xmlhttp.send("");
            xmlhttp.onreadystatechange = function() {
                if (xmlhttp.readyState == 4) {window.location.href='{{ path('logout') }}';}
            }
        }

        return false;
    }
</script>

Add the logout link:

<a href="#" onclick="logout()"><i class="hidden-xs fa fa-user"></i> Logout</a>

At least it works in both Chrome and Firefox, let me know if it doesn't on other browsers.

Community
  • 1
  • 1
COil
  • 7,201
  • 2
  • 50
  • 98
  • This looks nasty... better and cleaner to bounce the user to `http://logout@www.yourdomain.com/your/page` (where 'logout' is an invalid username). This should fail authentication and clear the related cache. – caponica Aug 03 '16 at 21:50
  • I agree, quite nasty. But for me It is the only solution that worked on every browser without having to call a "fake" user to logout. – COil Sep 05 '16 at 10:44
  • imho, it is probably better/cleaner to call a fake user to force a logout rather than all this code (all you need is a logout link). – caponica Sep 05 '16 at 14:35