Unset the active user data on logout.

When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.

Refs #10422

lib/Cake/Controller/Component/AuthComponent.php

@@ -645,6 +645,7 @@ class AuthComponent extends Component {
 		foreach ($this->_authenticateObjects as $auth) {
 			$auth->logout($user);
 		}
+		static::$_user = array();
 		$this->Session->delete(static::$sessionKey);
 		$this->Session->delete('Auth.redirect');
 		$this->Session->renew();

lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php

@@ -1428,6 +1428,23 @@ class AuthComponentTest extends CakeTestCase {
 		$this->assertNull($this->Auth->Session->read('Auth.redirect'));
 	}
 
+/**
+ * test that logout removes the active user data as well for stateless auth
+ *
+ * @return void
+ */
+	public function testLogoutRemoveUser() {
+		$oldKey = AuthComponent::$sessionKey;
+		AuthComponent::$sessionKey = false;
+		$this->Auth->login(array('id' => 1, 'username' => 'mariano'));
+		$this->assertSame('mariano', $this->Auth->user('username'));
+
+		$this->Auth->logout();
+		AuthComponent::$sessionKey = $oldKey;
+
+		$this->assertNull($this->Auth->user('username'));
+	}
+
 /**
  * Logout should trigger a logout method on authentication objects.
  *