I've implement the Symfony's security component as following:
$app['security.firewalls'] = array(
'unsecured_area' => array(
pattern' => new RequestMatcher('^/log(in|out).*', null, 'GET')
)
, 'secured_area' => array(
'pattern' => '.*',
'edir' => true,
'users' => $app['security.user_provider.custom'],
'switch_user' => array('parameter' => '_switch_user', 'role' => 'ROLE_ALLOWED_TO_SWITCH')
)
);
When I call the logout route, I just invalidate the session.
As far as I understand the security context is stored into the session, it should be sufficient to logout my user. But he's not logged out.
If I update my firewall putting the logout route into the secured area, the $session->invalidate() works fine and the user is logged out...
Why doesn't it work in unsecured area ? Unsecured area doesn't mean no-session area isn't it?
Simply but, in an unsecure area, Symfony2 uses what it calls an AnonymousToken, even though it has an active session isn't populated with the user credentials.
Hence, you user cannot be logout as he is not in a login state, the user informations are not in the token or session.
Hope that helps