Not being logged out of auth0 at all

martynleeball · January 26, 2021, 12:17pm

Hey, i’m using the examples provided and simply trying to go back to the same login page after the user is logged in, so if auth0 has got a user then we don’t hit the login method, I have more code below to run after they have logged in.

Issue i’m having is that after I login, then logout, the user still appears to be logged in, so my steps:

Login through login.php.
Directed back to login.php and the users details are displayed.
Logout in logout.php, get directed to /.
Go to login.php and the users details are displayed, but I should be getting sent to the login form.

login.php

/** @noinspection PhpUnhandledExceptionInspection*/
$auth0 = new Auth0([
	'domain' => AUTH0_DOMAIN,
	'client_id' => AUTH0_CLIENT_ID,
	'client_secret' => AUTH0_CLIENT_SECRET,
	'redirect_uri' => DMS_URL.'/login.php'
]);

if (!$user = $auth0->getUser()) {
	$auth0->login();
}
dd($user);

logout.php

/** @noinspection PhpUnhandledExceptionInspection*/
$auth0 = new Auth0([
	'domain' => AUTH0_DOMAIN,
	'client_id' => AUTH0_CLIENT_ID,
	'client_secret' => AUTH0_CLIENT_SECRET,
	'redirect_uri' => DMS_URL.'/'
]);

$auth0->logout();
$return_to = DMS_URL.'/';
$logout_url = sprintf('http://%s/v2/logout?client_id=%s&returnTo=%s', AUTH0_DOMAIN, AUTH0_CLIENT_ID, $return_to);
header('Location: ' . $logout_url);

Edit:

So, after some investigation is appears that even after hitting the logout page, the $_SESSION('auth0__user') key isn’t being cleared. Due to the documentation using getUser() to distinguish if a user is logged in, it doesn’t make sense for Auth0 to not clear this by default?

konrad.sopala · January 26, 2021, 12:14pm

Hey there!

I’m not a PHP guy but maybe our PHP quickstart can be of any help here especially section about logout:

also this one:

martynleeball · January 26, 2021, 10:26am

Strangely enough, ive just tested this code again this morning and now it appears to be working as expected! Very strange, I will keep in mind them links though, thank-you.

konrad.sopala · January 26, 2021, 11:30am

Perfect! Glad to hear that!

martynleeball · January 26, 2021, 12:14pm

Hi, turns out this issue is not resolved. I will update my question with what I have found out.

konrad.sopala · January 26, 2021, 12:31pm

Ahh. Sure provide more details so we can try debug it further!

martynleeball · January 26, 2021, 12:37pm

Already added at the bottom of my post.

konrad.sopala · January 26, 2021, 1:04pm

So basic logout (covered on Auth0-PHP Basic Use) closes the session in your application, but for customers using Single Sign-on (SSO), you also need to close the session at Auth0.

Ref:

How to log users out of Auth0

martynleeball · January 27, 2021, 10:50am

I have tried this already and it doesn’t appear to work, I can still called getUser and return a user after I have hit the log out script.

logout.php

use Auth0\SDK\Auth0;

/** @noinspection PhpUnhandledExceptionInspection*/
$auth0 = new Auth0([
	'domain' => AUTH0_DOMAIN,
	'client_id' => AUTH0_CLIENT_ID,
	'client_secret' => AUTH0_CLIENT_SECRET,
	'redirect_uri' => "http://{$_SERVER['HTTP_HOST']}/dealer_interface_login.php"
]);

$auth0->logout();
$return_to = DMS_URL.'/dealer_interface_login.php';
$logout_url = sprintf('http://%s/v2/logout?client_id=%s&returnTo=%s&federated', AUTH0_DOMAIN, AUTH0_CLIENT_ID, $return_to);
header('Location: ' . $logout_url);

martynleeball · January 27, 2021, 12:33pm

Hi, sorry I just realized I forgot to include my session script as we use regis! So the logout script was attempting to clear a normal PHP session rather than the regis session!

konrad.sopala · January 27, 2021, 1:24pm

Glad you have found it! Thanks for sharing with the rest of community forum!

konrad.sopala · January 28, 2021, 4:21pm