- Issue created by @Austin986
- Assigned to Chandreshgiri Gauswami
- Issue was unassigned.
- 🇨🇦Canada gapple
Thanks for opening the issue
Since the 2.x branch changed to using the authentication flow to check for a persistent login cookie only when needed, TokenHandler will only have its
$tokenproperty set on a user's first unauthenticated request (instead of every request, but not revalidating the token, like in 1.x). WhenclearSessionToken()is called on logout, it still assumed that the token property was already set from the request cookie, so skipped invalidating the token and the user was immediately re-initialized with a new session.The TokenHandler should now properly load the token if not done so already, in order to properly invalidate it when logging out.
- Status changed to Fixed
over 1 year ago 1:27am 29 June 2023 Automatically closed - issue fixed for 2 weeks with no activity.