-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identity data stays in session if findIdentity() returns null #18646
Comments
My workaround is to use my custom /**
* @see \yii\web\User
*/
protected function renewAuthStatus()
{
parent::renewAuthStatus();
if ($this->getIdentity() === null) {
$this->switchIdentity(null);
}
} I suggest to add this to the implementation of |
This sounds good, at least without digging more into the problem. @samdark ? |
Hmm, I can see that renewAuthStatus is setting identity to |
Right, setting I can't see, why it would make sense to have the id params kept in session if the user is actually seen as guest. |
So the problem is more with that and enabling auto login, right? Is setting it to |
It has nothing to do with auto login. It's really about proper cleanup if the If the return value of
Point 2) already happens, but I think this is rather by accident:
Point 1) remains open. |
Ok, I agree with what you are saying here. Would it work if the line I pointed previously was changed to |
Yes, doing a cleanup is a good idea. Since you're into it, may I ask if you have time for a pull request? |
#18649) * Issue #18646 Cleanup auth data from session if findIdentity() returns null * Issue #18646 Refactor fix to remove stale identity data from session * Issue #18646 Fix test for HttpBasicAuth (#15658) Co-authored-by: Alexander Makarov <sam@rmcreative.ru> Co-authored-by: Bizley <pawel@positive.codes>
Closed via c94d704 |
What steps will reproduce the problem?
findIdentity()
returnnull
for that user (e.g. disable the user in the database)getIsGuest()
)What is the expected result?
If
findIdentity()
returnsnull
the user should be logged out properly and the identity information should be deleted from the session.What do you get instead?
The user seems to be logged out (i.e.
getIsGuest()
returnstrue
) but the identity information is still present in the session. The user is redirected to the login page on next request.If now the user record is re-enabled in the DB the user suddenly is logged in again.
This is an unexpected user experience and can also lead to weird errors on the login page.
Additional info
This is related to #9718 but to me the issue here is more fundamental. It is unrelated to auth_key and the like.
I'm unsure about BC issues but wonder why this was implemented this way. I can't think of a situation where it would make sense to keep the
idParam
in session if the asssocitated identity is gone/no longer valid andgetIsGuest()
returnstrue
.The comment for
IdentityInterface::findIdentity()
also seems to suggest that this can be used to immediately un-authenticate (read: logout) a logged in user:The text was updated successfully, but these errors were encountered: