问题描述
每当我转到/admin/logout
时,我都会正确地重定向到项目的根目录,但是当我访问/admin/
时仍会登录,因为没有提示您输入凭据.
Whenever I go to /admin/logout
, I'm correctly redirected to the root of my project but still logged in when I visit /admin/
as I'm not prompted for credentials.
这是我的配置:
security.yml
security:
firewalls:
admin_area:
pattern: ^/admin
http_basic: ~
stateless: true
switch_user: { role: ROLE_SUPER_ADMIN, parameter: _want_to_be_this_user }
logout: { path: /admin/logout, target: / }
AdminBundle/Resources/config/routing.yml
logout:
pattern: /logout
app/config/routing.yml
admin:
resource: "@AdminBundle/Resources/config/routing.yml"
prefix: /admin
由于标头状态为Authorization:Basic YWRtaW46cEAkJHcwUmQh
,授权仍然有效,因此我认为在请求期间仍会向应用程序提供凭据.
The authorization is still in place as the headers state Authorization:Basic YWRtaW46cEAkJHcwUmQh
so I guess credentials are still provided to the application during the request.
我知道按照,但也许Symfony2允许吗?
I know there is no proper way to logout from a HTTP Basic Auth
as per this question but maybe Symfony2 allows it?
推荐答案
通过http auth登录后,您的浏览器将缓存您的登录凭据并将其添加到每个后续请求中,其标题形式如下:
Once logged in via http auth, your browser will cache and add your login credentials to each subsequent request in the form of a header like this:
Authorization:Basic YWRtaW46YWRtaW4=
注销后,对服务器的下一个请求仍将保留您的http凭据,然后再次登录.
When you do a logout, the next request to the server will still hold your http credentials and log you in again.
因此,窍门是在破坏服务器端的会话之后,丢失客户端的http凭据.
So the trick is to lose the http credentials on the client side after destroying the session on the server side.
过去,那里有一些骇人听闻的方法,例如提交虚假凭据或一些晦涩的IE方法来删除缓存.但是我认为这些方法仍然无效.
In the past there where some hackidy methods like submitting false credentials or some obscure IE method for deleting the cache. But I don't think these methods still work.
仍然有效的方法(我使用symfony 2.7和google chrome 45测试了以下方法)是使用HTTP 401未经授权的响应来答复客户端.
What still works ( I tested the following method with symfony 2.7 and google chrome 45 ) is replying to the client with a HTTP 401 unauthorized response.
签出:
在app/config/security.yml文件的注销部分中添加以下内容
Add the following to your logout section in the app/config/security.yml file
logout:
success_handler: logout_listener
转到您的服务配置app/config/services.yml
To your services configuration app/config/services.yml
logout_listener:
class: AppBundle\LogoutListener
然后创建一个监听器,该监听器使用未经授权的HTTP 401进行响应
Then create a listener that responds with HTTP 401 unauthorized
<?php
namespace AppBundle;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
class LogoutListener implements LogoutSuccessHandlerInterface
{
public function onLogoutSuccess(Request $request)
{
return new Response('', 401);
}
}
注销后,您的应用程序将向浏览器发送一个401,该浏览器会认为身份验证失败,从而导致身份验证缓存被清除(谁仍然想记住错误的凭据)并再次提示您输入凭据
After logging out your app will send a 401 to the browser which will think authentication has failed resulting in the auth cache being cleared ( who wants to remember faulty credentials anyway right ) and prompt for your credentials again
这篇关于从Symfony2中的http_basic身份验证注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!