Logout not working for us

We are using a js ui frontend that communicates with a Yii 2.0 api.

In frontend/config/main.php, we have

        'user' => [
            'identityClass' => 'common\models\User',
            'enableAutoLogin' => true,
        'request' => [
            'enableCookieValidation' => false,
            'enableCsrfValidation' => true,
            'cookieValidationKey' => 'abc...',
            'parsers' => [
                'application/json' => 'yii\web\JsonParser',

We have a frontend controller class AuthController extends Controller with a login and a logout function.

In the logout function, we include \Yii::$app->user->logout(); Even so, logout leaves the user authenticated.

I’ve been trying to troubleshoot this for days. The only way I found to ensure the user stays logged out is to include the following …

$fileCache = \Yii::$app->getCache();

// Delete all the files in /var/lib/php/sessions

Of course, the problem with that is that all users get logged out.

If I only do one of those two things, then the user remains authenticated.

Any idea what I should be doing differently?

(We also are using simplesamlphp for authentication as an SP. )

Well, we found a better solution but it seems that something is still not right.

Instead of destroying php session files and flushing the cache we now have these two lines …

    public function actionLogout()
        // Log user out locally

This succeeds in logging the user out (superficially), but it doesn’t keep the user from using browser dev tools to re-insert the old PHPSESSID and be considered still authenticated.