Skip to content

Commit

Permalink
Unset the active user data on logout.
Browse files Browse the repository at this point in the history 
When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.

Refs #10422
  • Loading branch information
@markstory
markstory committed Mar 16, 2017
1 parent c5e31e5 commit ccc9006
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/Cake/Controller/Component/AuthComponent.php
View file
Expand Up @@ -645,6 +645,7 @@ public function logout() {
foreach ($this->_authenticateObjects as $auth) { foreach ($this->_authenticateObjects as $auth) {
$auth->logout($user); $auth->logout($user);
} }
static::$_user = array();
$this->Session->delete(static::$sessionKey); $this->Session->delete(static::$sessionKey);
$this->Session->delete('Auth.redirect'); $this->Session->delete('Auth.redirect');
$this->Session->renew(); $this->Session->renew();
Expand Down
17 changes: 17 additions & 0 deletions lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php
View file
Expand Up @@ -1428,6 +1428,23 @@ public function testLogout() {
$this->assertNull($this->Auth->Session->read('Auth.redirect')); $this->assertNull($this->Auth->Session->read('Auth.redirect'));
} }


/**
* test that logout removes the active user data as well for stateless auth
*
* @return void
*/
public function testLogoutRemoveUser() {
$oldKey = AuthComponent::$sessionKey;
AuthComponent::$sessionKey = false;
$this->Auth->login(array('id' => 1, 'username' => 'mariano'));
$this->assertSame('mariano', $this->Auth->user('username'));

$this->Auth->logout();
AuthComponent::$sessionKey = $oldKey;

$this->assertNull($this->Auth->user('username'));
}

/** /**
* Logout should trigger a logout method on authentication objects. * Logout should trigger a logout method on authentication objects.
* *
Expand Down

0 comments on commit ccc9006

Please sign in to comment.