Merge branch '1.3'

* 1.3: Changed the proposed nginx configuration to mimic Symfony's one fixed session logout handler when a firewall is stateless Support optional session invalidation on logout

Merge branch '1.3'
* 1.3: Changed the proposed nginx configuration to mimic Symfony's one fixed session logout handler when a firewall is stateless Support optional session invalidation on logout
3fed3e48 · Fabien Potencier · 922fdadf · e9bd89bb · 3fed3e48 · 3fed3e48
Commit 3fed3e48 authored Aug 03, 2015 by Fabien Potencier
4 changed files
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -22,7 +22,7 @@ Changelog
 1.3.1 (2015-XX-XX)
 ------------------
-* n/a
+* fixed session logout handler when a firewall is stateless
 1.3.0 (2015-06-05)
 ------------------

--- a/doc/providers/security.rst
+++ b/doc/providers/security.rst
@@ -293,7 +293,7 @@ pattern::
        'secured' => array(
            'pattern' => '^/admin/',
            'form' => array('login_path' => '/login', 'check_path' => '/admin/login_check'),
-            'logout' => array('logout_path' => '/admin/logout'),
+            'logout' => array('logout_path' => '/admin/logout', 'invalidate_session' => true),
            // ...
        ),

--- a/doc/web_servers.rst
+++ b/doc/web_servers.rst
@@ -39,38 +39,45 @@ Alternatively, if you use Apache 2.2.16 or higher, you can use the
 nginx
 -----
-If you are using nginx, configure your vhost to forward non-existent
+The **minimum configuration** to get your application running under Nginx is:
-resources to ``index.php``:
 .. code-block:: nginx
    server {
-        #site root is redirected to the app boot script
+        server_name domain.tld www.domain.tld;
-        location = / {
+        root /var/www/project/web;
-            try_files @site @site;
-        }
-        #all other locations try other files first and go to our front controller if none of them exists
        location / {
-            try_files $uri $uri/ @site;
+            # try to serve file directly, fallback to front controller
+            try_files $uri /index.php$is_args$args;
        }
-        #return 404 for all php files as we do have a front controller
+        # If you have 2 front controllers for dev|prod use the following line instead
-        location ~ \.php$ {
+        # location ~ ^/(index|index_dev)\.php(/|$) {
-            return 404;
+        location ~ ^/index\.php(/|$) {
-        }
-        location @site {
            # the ubuntu default
            fastcgi_pass   unix:/var/run/php5-fpm.sock;
            # for running on centos
            #fastcgi_pass   unix:/var/run/php-fpm/www.sock;
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
-            fastcgi_param  SCRIPT_FILENAME $document_root/index.php;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            #uncomment when running via https
+            fastcgi_param HTTPS off;
-            #fastcgi_param HTTPS on;
+            # Prevents URIs that include the front controller. This will 404:
+            # http://domain.tld/index.php/some-path
+            # Enable the internal directive to disable URIs like this
+            # internal;
        }
+        #return 404 for all php files as we do have a front controller
+        location ~ \.php$ {
+            return 404;
+        }
+        error_log /var/log/nginx/project_error.log;
+        access_log /var/log/nginx/project_access.log;
    }
 IIS

--- a/src/Silex/Provider/SecurityServiceProvider.php
+++ b/src/Silex/Provider/SecurityServiceProvider.php
@@ -233,6 +233,8 @@ class SecurityServiceProvider implements ServiceProviderInterface, EventListener
                            throw new \LogicException(sprintf('The "%s" authentication entry is not registered.', $type));
                        }
+                        $options['stateless'] = $stateless;
                        list($providerId, $listenerId, $entryPointId, $position) = $app['security.authentication_listener.factory.'.$type]($name, $options);
                        if (null !== $entryPointId) {
@@ -504,7 +506,10 @@ class SecurityServiceProvider implements ServiceProviderInterface, EventListener
                    isset($options['with_csrf']) && $options['with_csrf'] && isset($app['form.csrf_provider']) ? $app['form.csrf_provider'] : null
                );
+                $invalidateSession = isset($options['invalidate_session']) ? $options['invalidate_session'] : true;
+                if (true === $invalidateSession && false === $options['stateless']) {
                    $listener->addHandler(new SessionLogoutHandler());
+                }
                return $listener;
            };