像这样使用带有 security.yaml 的 Symfony 4:
encoders:
App\Entity\User: sha256
providers:
public_users:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: ~
form_login:
login_path: login
remember_me: true
remember_me:
secret: "%kernel.secret%"
name: relevea_remember_me
lifetime: 864000
always_remember_me: false
remember_me_parameter: user_login[stayConnected]
logout:
path: logout
target: /about
invalidate_session: false
access_control:
- { path: ^/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
注销操作未清除 rememberMe token 。
我可以看到 LogoutListener ( https://github.com/symfony/security/blob/master/Http/Firewall/LogoutListener.php ) 在 RememberMeListener ( https://github.com/symfony/security/blob/master/Http/Firewall/RememberMeListener.php ) 之后调用,所以对于 LogoutListener, token 为 null 并且没有清除任何内容:/
来自 TraceableFirewallListener 的监听器列表:
Symfony\Component\Security\Http\Firewall\ChannelListener Symfony\Component\Security\Http\Firewall\ContextListener Symfony\Component\Security\Http\Firewall\LogoutListener
Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener Symfony\Component\Security\Http\Firewall\RememberMeListener
Symfony\Component\Security\Http\Firewall\AnonymousAuthenticationListener Symfony\Component\Security\Http\Firewall\AccessListener
为什么注销监听在其他监听之前?
最佳答案
自 2013 年以来,这似乎是一个已知问题!
https://github.com/symfony/symfony/issues/7104
所以基本上,您无法从 RememberMe token 注销:/
关于php - Symfony 安全注销未清除 RememberMe token ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47932614/