php-pm-drupal Login causing global logins

Logging in via one browser resulted in my being logged in automatically when using another browser which should have caused an anonymous visit.

To repeat

Log in using one browser.
Visit the home page using another browser which shouldn't be logged in.

Expected results

The second browser shouldn't be logged in. It should be an anonymous user visit.

Actual results

The second browser is already logged in when the page loads.

Jan 26 '16 01:01 kentr

"another browser" means really a completely different browser? I guess this has then something todo with $_SESSION if drupal is using it because this var is actually always the same and should be replaced after each request.

Feb 19 '16 22:02 marcj

Yeah, a completely different browser.

I think it's similar to what you're suggesting. Looks like this piece isn't fully converted to dependency injection and uses a global (singleton?) containing the current user: \Drupal::currentUser().

Feb 20 '16 17:02 kentr

Hmm. If I'm reading this correctly, the service uses \Drupal\Core\Session\AccountProxy, and the current user can be changed in the request pipeline.

Ah, but it would probably still be global...

Feb 20 '16 17:02 kentr

@marcj Does authentication work as expected in the Symfony & Laravel versions of PHP-PM?

Mar 11 '16 18:03 kentr

Thats a good question, I guess so, but I'm not sure.

Mar 11 '16 18:03 marcj

@kentr I've fixed the cookie and header sending issue in HttpKernel. Login works there now correctly. Unfortunately php-pm-drupal needs some adjustments to keep it working with the current master@php-pm. I'm providing you tomorrow a pull-request also with changes for #11

Mar 18 '16 01:03 marcj

@bertrama's idea in the D7 issue might help with this.

Nov 08 '16 19:11 kentr