Symfony 2 inconsistency in logout route: logout redirect to login?

Question

I'd like to solve this inconsistency in my Symfony 2 application: when user is not authenticated path /app/logout redirects to /app/login . Instead, user not authenticated should view an error page (maybe 403).

Here is the security configuration. The IS_AUTHENTICATED_FULLY seems mandatory, as an user can do logout only if it's previously authenticated fully:

access_control:
    - { path: ^/app/login,  roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/app/logout, roles: IS_AUTHENTICATED_FULLY }

And the logout action of my AccessController :

/**
 * @Extra\Route("logout")
 * @Extra\Template
 */
public function logoutAction()
{
    // Set the token to null and invalidate the session
    $this->getSecurityContext()->setToken(null);
    $this->getSession()->invalidate();

    // Redirect url and seconds (window.location)
    $seconds  = 5;
    $redirect = $this->getRouter()->generate('access_login');

    return array('seconds' => $seconds, 'redirect' => $redirect);
}

One solution would be removing the route /app/logout from access control and then throwing an exception if user it's not fully authenticated:

if(false === $this->getSecurityContext()->isGranted('IS_AUTHENTICATED_FULLY'))
    throw new AccessDeniedException();

But this way /app/logout would be accessible even from not authenticated users! Anyone knows a better solution?

Answer 1

Just remove the logout path from access_control . Nothing bad is going to happen if a not authenticated user goes to the logout page — it's safe. Don't overengineer this stuff. ;)

BTW, why aren't you using the Symfony's built-in logout controller? You could create a logout handler to put your custom code in it instead of reinventing the wheel by handling all the logout stuff yourself.