I ran into an interesting bug that took a bit to identify.
We have a fairly standard auth setup in place.
Auth::check() to see if they are logged in. If they are, go to the dashboard. If they aren't, take them to the login screen.
The dashboard view loops through several ajax calls to fill in various sections of the dashboard. What I discovered is if a user tries to logout before the ajax calls are completed, they are redirected back on the dashboard and still logged in (I've verified that they do go through the logout process and Auth::check() returns false).
If they try and logout after the ajax calls are complete (or if I disable the ajax calls), it works as expected and they are logged out and redirected to the login screen.
The basic structure is:
Routes.php
Route::get('/', array('as' => 'home', 'uses' => 'HomeController@getIndex'));
Route::get('/login', array('as' => 'login', 'uses' => 'AuthController@getLogin'))->before('guest');
Route::post('/login', array( 'uses' => 'AuthController@postLogin'))->before('csrf');
Route::get('/logout', array('as' => 'logout','uses' => 'AuthController@getLogout'))->before('auth');
Route::get('/dashboard', array('as' => 'dashboard', 'uses' => 'DashboardController@getIndex'))->before('auth');
Route::post('/dashboard/panel', array('as' => 'getPanelData', 'uses' => 'DashboardController@getDashboardPanelData'))->before('auth');
/* /dashboard/panel is what recieves the ajax call data and returns the result */
HomeController.php
class HomeController extends BaseController {
public function getIndex()
{
if(Auth::check()) {
return Redirect::route('dashboard');
} else {
Session::flush();
return Redirect::route('login');
}
}
}
DashboardController.php
public function getIndex() {
return View::make('layouts.dashboard.index');
}
public function getDashboardPanelData() {
// gets data from ajax call and returns a result
}
I've thought up a couple of solutions, one being to kill any unfinished ajax requests when you click the logout button, or removing the auth filter from the panels route, but I'm unsure if the first is a good idea and I'm wary of the latter from a security stand point.
EDIT:
You can ignore the loop part in all of this. Even if I take the loop out and only run one ajax call, if I log out in the middle of the ajax call I still get the issue where it logs out and logs back in again.
ADD. EDIT:
I tried removing the auth filter on /dashboard/panel and it doesn't fix the problem.
EDIT:
Here's the auth filter, it's pretty standard.
Route::filter('auth', function()
{
if (Auth::guest()) return Redirect::guest('login');
});
PARTIAL SOLUTION: In my case, the dashboard panels don't require access by an authenticated user. What I did was check for the path in my session config and if it matches the dashboard panels, change the session driver to array (which won't rewrite the file session, thereby allowing a full logout).
In session.php:
'driver' => Request::path() === 'dashboard/panel' ? 'array' : 'file',
Again, it's not an ideal solution for all, but in my case it is sufficient.