2

I have this secured admin area under /admin/. Users need to be logged in via an HTTP basic auth (http_basic set to true in security.yml).

My goal is, for specific action in specific controller, to re-ask user for his username/password. I thought this would be simple but as per my research, it appears it is not.

I have tried to unset both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] but it seems to have no effect. I also tried to change header to set a 401 status code but this has not effect either.

How can this be achievable?

D4V1D
  • 5,805
  • 3
  • 30
  • 65
  • First of all do not deal with $_SERVER in Symfony2 framework directly, it has a dedicated functionality. E.g. http://symfony.com/doc/current/components/http_foundation/introduction.html And to your question: take a look at this one http://stackoverflow.com/questions/13600280/programmatically-logout-current-user – forsberg Mar 24 '15 at 13:36
  • Thanks @forsberg for commenting my question and for the link to the SF doc. However, in the question pointed out, the OP manages to log out an user but this trick doesn't make the app asks for new credentials :/ – D4V1D Mar 24 '15 at 14:05

1 Answers1

0

First of all, the HTTP Basic Authentication has NOT been designed to support the log out.

That means you can not guarantee it on every browser ; even with the 401 trick nor with the redirection user@mysite.com to invalidate the credentials.

See this answer.

So this is a bad habit to use it when you need to log out your user.

You should use the custom authentication provided by FOSUserBundle if you want to re-ask the user's credentials. And it's pretty simple & secure.

Community
  • 1
  • 1
RSez
  • 271
  • 2
  • 10
  • Many thanks for reply. Unfortunately, `basic http auth` is a requirement from my boss and I cannot change for a custom auth. Is there any other way for SF2 to ask for credentials again? – D4V1D Mar 24 '15 at 18:44
  • With basic auth, no. You could use a redirect to force another username, e.g. in your controller `return $this->redirect('http://' . $randomUsername . '@' . $request->getHttpHost() . $this->generateUrl('admin')` but the result will depend on the browser... – RSez Mar 24 '15 at 19:20