Permalink
Browse files

Unset the active user data on logout.

When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.

Refs #10422
  • Loading branch information...
markstory committed Mar 16, 2017
1 parent c5e31e5 commit ccc90066204229df1e8088de4ca1266267151397
@@ -645,6 +645,7 @@ public function logout() {
foreach ($this->_authenticateObjects as $auth) {
$auth->logout($user);
}
static::$_user = array();
$this->Session->delete(static::$sessionKey);
$this->Session->delete('Auth.redirect');
$this->Session->renew();
@@ -1428,6 +1428,23 @@ public function testLogout() {
$this->assertNull($this->Auth->Session->read('Auth.redirect'));
}
/**
* test that logout removes the active user data as well for stateless auth
*
* @return void
*/
public function testLogoutRemoveUser() {
$oldKey = AuthComponent::$sessionKey;
AuthComponent::$sessionKey = false;
$this->Auth->login(array('id' => 1, 'username' => 'mariano'));
$this->assertSame('mariano', $this->Auth->user('username'));
$this->Auth->logout();
AuthComponent::$sessionKey = $oldKey;
$this->assertNull($this->Auth->user('username'));
}
/**
* Logout should trigger a logout method on authentication objects.
*

0 comments on commit ccc9006

Please sign in to comment.