Sometimes when a user logs out and then clicks a link, when the link loads the user has been automatically logged back in. It is an intermittent problem, which is much more frequent if a link is clicked on very soon after the logout page has loaded - I use selenium IDE to run functional tests and these frequently break due to this problem.
The logout action is very simple:
public function actionLogout() {
if(Yii::app()->user->isGuest !== true) {
Yii::app()->user->logout();
}
$this->render('logout');
}
The only unusual thing about the site that could be causing the problem is that the site has an iframe running in a sub domain that uses the same server side codebase and login session. This iframe communicates with the server via ajax.
Could it be possible that if an ajax request is sent after the logout action but before the logout action returns, that its session data could be logging the user back in? If so what can I do about it?
I can’t find anyone else having this problem and I would have thought that if this is the cause of the problem then it would be also caused by other tabs running ajax requests after the logout request.
If not this, any other ideas on what might be causing this?
Before proceeding: Have you turned on the CWebUser::allowAutoLogin directive?
My approach would be to:
Turn on (persistent) logging in the config files
Add a
Yii::log(sprintf('User #%s has signed in (Session ID: %s)', Yii::app()->user->name, Yii::app()->session->sessionID), 'info', 'application.controller.SiteController');
to the UserIdentity class (after successfull login) (or alternative a similar logging after a logout() call)
Check whether there are multiple logins during a test or if the same session is used.
// Edit: Also check on which site you are logging out. If you are running the application on two different subdomains (e.g. example.tld and sub1.example.tld) it could very possible that you are only logging out/logging in on one of the domains while the other session still remains valid.
You wrote that you use the same session accross the two domains - how did you managed this?
Thanks Coksnuss, Logging was going to be my next step if no one else had already solved this problem.
allowAutoLogin is turned on, but this behavior happens when the user doesn’t select the checkbox. It could still be causing the problem though.
Both domains usually log in/out when the first one does. I don’t remember doing anything special to make it work on both sub domains. They both use the same Yii application, so the session paths etc are all the same.
Update
I’ve determined that that the sub domain does try to log the user back in, so it must be something to do with the ajax request. Currently trying to extend the beforeLogin function to see if I can catch it.
I assume the sessionid is saved within a cookie. Just make sure that (when you logged in) that there is only one cookie with a sessionid and with domain example.tld (and not www.example.tld or something similar)