Logout not working for us

baggerone · May 21, 2019, 7:00pm

We are using a js ui frontend that communicates with a Yii 2.0 api.

In frontend/config/main.php, we have

        'user' => [
            'identityClass' => 'common\models\User',
            'enableAutoLogin' => true,
        ],
        'request' => [
            'enableCookieValidation' => false,
            'enableCsrfValidation' => true,
            'cookieValidationKey' => 'abc...',
            'parsers' => [
                'application/json' => 'yii\web\JsonParser',
            ]
        ],

We have a frontend controller class AuthController extends Controller with a login and a logout function.

In the logout function, we include \Yii::$app->user->logout(); Even so, logout leaves the user authenticated.

I’ve been trying to troubleshoot this for days. The only way I found to ensure the user stays logged out is to include the following …

$fileCache = \Yii::$app->getCache();
$fileCache->flush();

// Delete all the files in /var/lib/php/sessions
$this->destroyAllPhpSessionFiles();

Of course, the problem with that is that all users get logged out.

If I only do one of those two things, then the user remains authenticated.

Any idea what I should be doing differently?

(We also are using simplesamlphp for authentication as an SP. )

baggerone · May 24, 2019, 8:34pm

Well, we found a better solution but it seems that something is still not right.

Instead of destroying php session files and flushing the cache we now have these two lines …

    public function actionLogout()
    {
        // Log user out locally
        \Yii::$app->user->logout(true);
        \Yii::$app->response->cookies->remove('PHPSESSID');
...

This succeeds in logging the user out (superficially), but it doesn’t keep the user from using browser dev tools to re-insert the old PHPSESSID and be considered still authenticated.