Symfony PHP Logout not working

Question

I have a logout function that worked in another project but for some reason doesn't work in the project I am currently working on. It looks like it just refreshes the page. I checked the official documentation of Symfony https://symfony.com/doc/current/security.html but to no avail. Hope you guys can help me.

Updated: Security.yml:

# To get started with security, check out the documentation:
# https://symfony.com/doc/current/security.html
security:
    providers:
        in_memory:
            memory:
                users:
                    beheerder:
                        password: admin
                        roles: 'ROLE_BEHEERDER'

    access_control:
        - { path: '^/beheerder/*', roles: [ROLE_BEHEERDER] }

    encoders:
        Symfony\Component\Security\Core\User\User: plaintext


    firewalls:
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            anonymous: 
            # activate different ways to authenticate

            # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
            http_basic: ~

            # https://symfony.com/doc/current/security/form_login_setup.html
            #form_login: ~
            logout:
                path: security_logout
                target: /

Controller:

<?php

namespace AppBundle\Controller;

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;


class DefaultController extends Controller
{

    //Functie om naar de homepagina te gaan met een redirect naar de homepagina van de gebruiker.

    /**
     * @Route("/", name="homepage")
     */
    public function indexAction(Request $request, AuthorizationCheckerInterface $authorizationChecker)
    {
        if ($authorizationChecker->isGranted(new Expression('"ROLE_BEHEERDER" in roles')))
        {
            return $this->redirectToRoute('beheerder');
        }
        else
        {
            return $this->render('default/index.html.twig');
        }
    }

    /**
     * @Route("/beheerder", name="beheerder")
     */
    public function beheerder(Request $request)
    {
        return new Response($this->renderView('beheerder/index.html.twig'));
    }

    /**
     * @Route("/logout", name="security_logout")
     */
    public function logoutAction(Request $request)
    {
        return new Response($this->renderView('logout.html.twig'), 401);
    }


}

Logout Twig:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <title>{% block title %}Overzicht{% endblock %}</title>
        <link rel="icon" type="image/x-icon" href="{{ asset('favicon.ico') }}" />
    </head>
    <body>
        <p>Redirecting back....</p>
        <script>
            document.cookie = 'PHPSESSID=; Path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
            window.location.href = '{{ url('homepage') }}';
        </script>
    </body>
</html>

EDIT: I am using Symfony 3.4. When I go to page /logout it looks like it just refreshes page. I can see that it goes to the logout function but the user won't be logged out.

Answer 1

From the Symfony security docs: https://symfony.com/doc/3.4/security.html#logging-out

Notice that when using http-basic authenticated firewalls, there is no real way to log out : the only way to log out is to have the browser stop sending your name and password on every request. Clearing your browser cache or restarting your browser usually helps. Some web developer tools might be helpful here too.

You are using http-basic, so clearing the cookie won't work. So if you want to use that code, you need to implement a different authentication and stop using http-basic.

Answer 2

app/config/security.yml

security:
    # editor fold [...]
    firewalls:
        # editor fold [...]
        main:
            # editor fold [...]
            # add logout into the security firewall
            logout:
                path: security_logout
                target: /
    # editor fold [...]
    access_control:
        - { path: '^/beheerder/*', roles: [ROLE_BEHEERDER] }
        # Not needed
        # - { path: '^/logout', roles: [IS_AUTHENTICATED_ANONYMOUSLY] }

app/config/routing.yml

# editor fold [...]
# add logout path into main routing file
security_logout:
    path: /logout

Twig view

<!-- logout link -->
<a href="{{ path('security_logout') }}">Logout</a>

Answer 3

You haven't setup the firewalls

main:
        anonymous: ~

it should look like main: anonymous: ~ secured_arena: pattern: ^/beheerder

having this says that everyone can access "main" firewall you should restrict the area

when you have it then just add to the firewall following lines

 logout:
            path:   /logout
            target: /

and define /logout route which you already did. Symfony will do logout automaticly.

You need to specify also authenticator and checkpath check https://symfony.com/doc/current/security/custom_password_authenticator.html

Answer 4

access control in you define logout path for IS_AUTHENTICATED_ANONYMOUSLY this is wrong.

Please remove - { path: '^/logout', roles: [IS_AUTHENTICATED_ANONYMOUSLY] }

OR

edit - { path: '^/logout', roles: [ROLE_BEHEERDER] }