Unset the active user data on logout.

When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.

Refs #10422
This commit is contained in:
mark_story 2017-03-16 11:31:20 -04:00
parent c5e31e590d
commit ccc9006620
2 changed files with 18 additions and 0 deletions

View file

@ -645,6 +645,7 @@ class AuthComponent extends Component {
foreach ($this->_authenticateObjects as $auth) { foreach ($this->_authenticateObjects as $auth) {
$auth->logout($user); $auth->logout($user);
} }
static::$_user = array();
$this->Session->delete(static::$sessionKey); $this->Session->delete(static::$sessionKey);
$this->Session->delete('Auth.redirect'); $this->Session->delete('Auth.redirect');
$this->Session->renew(); $this->Session->renew();

View file

@ -1428,6 +1428,23 @@ class AuthComponentTest extends CakeTestCase {
$this->assertNull($this->Auth->Session->read('Auth.redirect')); $this->assertNull($this->Auth->Session->read('Auth.redirect'));
} }
/**
* test that logout removes the active user data as well for stateless auth
*
* @return void
*/
public function testLogoutRemoveUser() {
$oldKey = AuthComponent::$sessionKey;
AuthComponent::$sessionKey = false;
$this->Auth->login(array('id' => 1, 'username' => 'mariano'));
$this->assertSame('mariano', $this->Auth->user('username'));
$this->Auth->logout();
AuthComponent::$sessionKey = $oldKey;
$this->assertNull($this->Auth->user('username'));
}
/** /**
* Logout should trigger a logout method on authentication objects. * Logout should trigger a logout method on authentication objects.
* *