本文介绍了从Symfony2中的http_basic身份验证注销的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

限时删除!!

每当我转到/admin/logout时,我都会正确地重定向到项目的根目录,但是当我访问/admin/时仍会登录,因为没有提示您输入凭据.

Whenever I go to /admin/logout, I'm correctly redirected to the root of my project but still logged in when I visit /admin/ as I'm not prompted for credentials.

这是我的配置:

security.yml

security:
    firewalls:
        admin_area:
            pattern:    ^/admin
            http_basic: ~
            stateless:  true
            switch_user: { role: ROLE_SUPER_ADMIN, parameter: _want_to_be_this_user }
            logout: { path: /admin/logout, target: / }

AdminBundle/Resources/config/routing.yml

logout:
    pattern:   /logout

app/config/routing.yml

admin:
    resource: "@AdminBundle/Resources/config/routing.yml"
    prefix:   /admin

由于标头状态为Authorization:Basic YWRtaW46cEAkJHcwUmQh,授权仍然有效,因此我认为在请求期间仍会向应用程序提供凭据.

The authorization is still in place as the headers state Authorization:Basic YWRtaW46cEAkJHcwUmQh so I guess credentials are still provided to the application during the request.

我知道按照,但也许Symfony2允许吗?

I know there is no proper way to logout from a HTTP Basic Auth as per this question but maybe Symfony2 allows it?

推荐答案

通过http auth登录后,您的浏览器将缓存您的登录凭据并将其添加到每个后续请求中,其标题形式如下:

Once logged in via http auth, your browser will cache and add your login credentials to each subsequent request in the form of a header like this:

Authorization:Basic YWRtaW46YWRtaW4=

注销后,对服务器的下一个请求仍将保留您的http凭据,然后再次登录.

When you do a logout, the next request to the server will still hold your http credentials and log you in again.

因此,窍门是在破坏服务器端的会话之后,丢失客户端的http凭据.

So the trick is to lose the http credentials on the client side after destroying the session on the server side.

过去,那里有一些骇人听闻的方法,例如提交虚假凭据或一些晦涩的IE方法来删除缓存.但是我认为这些方法仍然无效.

In the past there where some hackidy methods like submitting false credentials or some obscure IE method for deleting the cache. But I don't think these methods still work.

仍然有效的方法(我使用symfony 2.7和google chrome 45测试了以下方法)是使用HTTP 401未经授权的响应来答复客户端.

What still works ( I tested the following method with symfony 2.7 and google chrome 45 ) is replying to the client with a HTTP 401 unauthorized response.

签出:

在app/config/security.yml文件的注销部分中添加以下内容

Add the following to your logout section in the app/config/security.yml file

logout:
    success_handler: logout_listener

转到您的服务配置app/config/services.yml

To your services configuration app/config/services.yml

logout_listener:
    class: AppBundle\LogoutListener

然后创建一个监听器,该监听器使用未经授权的HTTP 401进行响应

Then create a listener that responds with HTTP 401 unauthorized

<?php

namespace AppBundle;

use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;

class LogoutListener implements  LogoutSuccessHandlerInterface
{
    public function onLogoutSuccess(Request $request)
    {
        return new Response('', 401);
    }
}

注销后,您的应用程序将向浏览器发送一个401,该浏览器会认为身份验证失败,从而导致身份验证缓存被清除(谁仍然想记住错误的凭据)并再次提示您输入凭据

After logging out your app will send a 401 to the browser which will think authentication has failed resulting in the auth cache being cleared ( who wants to remember faulty credentials anyway right ) and prompt for your credentials again

这篇关于从Symfony2中的http_basic身份验证注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

1403页,肝出来的..

09-06 23:22