Skip to content
Permalink
Browse files

Unset the active user data on logout.

When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.

Refs #10422
  • Loading branch information...
markstory committed Mar 16, 2017
1 parent c5e31e5 commit ccc90066204229df1e8088de4ca1266267151397
@@ -645,6 +645,7 @@ public function logout() {
foreach ($this->_authenticateObjects as $auth) {
$auth->logout($user);
}
static::$_user = array();
$this->Session->delete(static::$sessionKey);
$this->Session->delete('Auth.redirect');
$this->Session->renew();
@@ -1428,6 +1428,23 @@ public function testLogout() {
$this->assertNull($this->Auth->Session->read('Auth.redirect'));
}
/**
* test that logout removes the active user data as well for stateless auth
*
* @return void
*/
public function testLogoutRemoveUser() {
$oldKey = AuthComponent::$sessionKey;
AuthComponent::$sessionKey = false;
$this->Auth->login(array('id' => 1, 'username' => 'mariano'));
$this->assertSame('mariano', $this->Auth->user('username'));
$this->Auth->logout();
AuthComponent::$sessionKey = $oldKey;
$this->assertNull($this->Auth->user('username'));
}
/**
* Logout should trigger a logout method on authentication objects.
*

0 comments on commit ccc9006

Please sign in to comment.
You can’t perform that action at this time.