Not being logged out of auth0 at all

Hey, i’m using the examples provided and simply trying to go back to the same login page after the user is logged in, so if auth0 has got a user then we don’t hit the login method, I have more code below to run after they have logged in.

Issue i’m having is that after I login, then logout, the user still appears to be logged in, so my steps:

  1. Login through login.php.
  2. Directed back to login.php and the users details are displayed.
  3. Logout in logout.php, get directed to /.
  4. Go to login.php and the users details are displayed, but I should be getting sent to the login form.

login.php

/** @noinspection PhpUnhandledExceptionInspection*/
$auth0 = new Auth0([
	'domain' => AUTH0_DOMAIN,
	'client_id' => AUTH0_CLIENT_ID,
	'client_secret' => AUTH0_CLIENT_SECRET,
	'redirect_uri' => DMS_URL.'/login.php'
]);

if (!$user = $auth0->getUser()) {
	$auth0->login();
}
dd($user);

logout.php

/** @noinspection PhpUnhandledExceptionInspection*/
$auth0 = new Auth0([
	'domain' => AUTH0_DOMAIN,
	'client_id' => AUTH0_CLIENT_ID,
	'client_secret' => AUTH0_CLIENT_SECRET,
	'redirect_uri' => DMS_URL.'/'
]);

$auth0->logout();
$return_to = DMS_URL.'/';
$logout_url = sprintf('http://%s/v2/logout?client_id=%s&returnTo=%s', AUTH0_DOMAIN, AUTH0_CLIENT_ID, $return_to);
header('Location: ' . $logout_url);

Edit:

So, after some investigation is appears that even after hitting the logout page, the $_SESSION('auth0__user') key isn’t being cleared. Due to the documentation using getUser() to distinguish if a user is logged in, it doesn’t make sense for Auth0 to not clear this by default?

Hey there!

I’m not a PHP guy but maybe our PHP quickstart can be of any help here especially section about logout:

also this one:

Strangely enough, ive just tested this code again this morning and now it appears to be working as expected! Very strange, I will keep in mind them links though, thank-you.

1 Like

Perfect! Glad to hear that!

Hi, turns out this issue is not resolved. I will update my question with what I have found out.

Ahh. Sure provide more details so we can try debug it further!

Already added at the bottom of my post.

1 Like

So basic logout (covered on Auth0-PHP Basic Use) closes the session in your application, but for customers using Single Sign-on (SSO), you also need to close the session at Auth0.

Ref:

  • How to log users out of Auth0

I have tried this already and it doesn’t appear to work, I can still called getUser and return a user after I have hit the log out script.

logout.php

use Auth0\SDK\Auth0;

/** @noinspection PhpUnhandledExceptionInspection*/
$auth0 = new Auth0([
	'domain' => AUTH0_DOMAIN,
	'client_id' => AUTH0_CLIENT_ID,
	'client_secret' => AUTH0_CLIENT_SECRET,
	'redirect_uri' => "http://{$_SERVER['HTTP_HOST']}/dealer_interface_login.php"
]);

$auth0->logout();
$return_to = DMS_URL.'/dealer_interface_login.php';
$logout_url = sprintf('http://%s/v2/logout?client_id=%s&returnTo=%s&federated', AUTH0_DOMAIN, AUTH0_CLIENT_ID, $return_to);
header('Location: ' . $logout_url);

Hi, sorry I just realized I forgot to include my session script as we use regis! So the logout script was attempting to clear a normal PHP session rather than the regis session!

1 Like

Glad you have found it! Thanks for sharing with the rest of community forum!