Login causing global logins

[kentr]

Logging in via one browser resulted in my being logged in automatically when using another browser which should have caused an anonymous visit.

To repeat

1. Log in using one browser.
2. Visit the home page using another browser which shouldn't be logged in.

Expected results

The second browser shouldn't be logged in. It should be an anonymous user visit.

Actual results

The second browser is already logged in when the page loads.

[marcj]

"another browser" means really a completely different browser? I guess this has then something todo with $_SESSION if drupal is using it because this var is actually always the same and should be replaced after each request.

[kentr]

Yeah, a completely different browser.

I think it's similar to what you're suggesting. Looks like this piece isn't fully converted to dependency injection and uses a global (singleton?) containing the current user: \Drupal::currentUser().

[kentr]

Hmm. If I'm reading this correctly, the service uses \Drupal\Core\Session\AccountProxy, and the current user can be changed in the request pipeline.

Ah, but it would probably still be global...

[kentr]

@marcj Does authentication work as expected in the Symfony & Laravel versions of PHP-PM?

[marcj]

Thats a good question, I guess so, but I'm not sure.

[marcj]

@kentr I've fixed the cookie and header sending issue in HttpKernel. Login works there now correctly. Unfortunately php-pm-drupal needs some adjustments to keep it working with the current master@php-pm. I'm providing you tomorrow a pull-request also with changes for #11

[kentr]

@bertrama's idea in the D7 issue might help with this.