Contributed by Mathieu in #50946

In Symfony applications, the logout feature of the security system is enabled and configured per firewall. You can configure it with YAML, XML or PHP, but the following example only shows the YAML config:

        1
2
3
4
5
6
7
8
9
        # config/packages/security.yaml
security:
    # ...

    firewalls:
        main:
            # ...
            logout:
                path: app_logout
    

The key of this configuration is the path option, which defines the route/URL that the user needs to browse to actually un-authenticate from the application. Symfony handles this log out process entirely, but that route/URL must exist in your application.

That's why you need to add that route in your application. For example, you could create this YAML route definition which doesn't point to any controller action:

        1
2
3
4
        # config/routes.yaml
app_logout:
    path: /logout
    methods: GET
    

Or, if you prefer to define all routes in PHP classes via attributes, you could do this:

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
        // src/Controller/SecurityController.php
namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\Routing\Annotation\Route;

class SecurityController extends AbstractController
{
    #[Route('/logout', name: 'app_logout', methods: ['GET'])]
    public function logout(): never
    {
        // controller can be blank: it will never be called!
        throw new \Exception('Don\'t forget to activate logout in security.yaml');
    }
}
    

Creating this route always felt a bit quirky. If Symfony handles all the logout logic, why not take care of this route too? In Symfony 6.4 we're simplifying the logout feature to take care of this.

Technically, this works thanks to a custom route loader that creates the logout routes for you. If your application uses Symfony Flex the needed configuration will be added to your application automatically when you update the symfony/security-bundle recipe. Otherwise, you'll need to add this configuration to your application:

        1
2
3
4
        # config/routes/security.yaml
_security_logout:
    resource: security.route_loader.logout
    type: service
    

Published in #Living on the edge

Massimiliano Arione said on Oct 31, 2023 at 11:33

What about the login_check route? Does it still need to be defined manually?

Yasmany Cubela Medina said on Oct 31, 2023 at 12:28

finally, almost 10 years but finally, +1

Jonathan Nieto Lajo said on Nov 7, 2023 at 03:29

This: "Creating this route always felt a bit quirky"

Thanks! At last!

Paul DOS SANTOS said on Dec 1, 2023 at 22:32

So we can delete this method logout() from customAuthenticator ?

But witch name on my template i need to use ? _logout_main ? (if my firewall is main) but this doesn't work.

New in Symfony 6.4: Simpler Logout

Comments

Become a Symfony contributor