Configure logoutRedirect in Authentication plugin with CakeDC/Users in cakephp 5.x

How and where do I have to configure the logoutRedirect in Authentication plugin so that when the user clicks on logout redirects the site to controller Users, action login?

Is still doing what I don’t want it to do, when I click on logout it redirects to controller home and doesn’t finish the session because I can enter the different pages of the site, I copied the content of logout action in LoginTrait to MyUsersController, is there something missing that I am not doing?

That page you are redirecting to needs to be accessible without authentication of course. Otherwise the plugin will redirect you to the login page.

Also what do you mean by it doesn’t finish the session. As you can see here the session is destroyed if that logout functionality of the CakeDC/Users plugin is called.

This is the code for initialize method in MyUsersController:

    public function initialize(): void
        if ($this->components()->has('Security')) {
                ['login', 'u2fRegister', 'u2fRegisterFinish', 'u2fAuthenticate', 'u2fAuthenticateFinish']
		$countUsers = $this->MyUsers->find()->count();
		if(empty($countUsers)) $this->Authentication->allowUnauthenticated(['add']);
		else $this->Authentication->allowUnauthenticated(['login', 'requestResetPassword', 'resetPassword']);

This is the screenshot for logout action:

As you can see it redirects to home controller, and when I click on a link in the menu it redirects to that page without saying that is not accesible with a logged out user.

The redirection is working fine, but for some reason $result = $service->getResult() is returning a status of success, this is what it shows debug($result):

object(Authentication\Authenticator\Result) id:0 {
  protected _status => 'SUCCESS'
  protected _data => object(App\Model\Entity\MyUser) id:1 {
    'id' => '1f17ff71-9dfb-405e-b5b8-6850a60152a7'
    'username' => 'superadmin'
    'email' => ''
    'password' => '$2y$10$3muBujd7SSYXhulonYOVROednofiIjjbgIuu4Q0sDjY5u9UZ3GLjW'
    'first_name' => 'Matías'
    'last_name' => 'de Anquin'
    'token' => ''
    'token_expires' => null
    'api_token' => ''
    'activation_date' => null
    'secret' => null
    'secret_verified' => null
    'tos_date' => null
    'active' => true
    'is_superuser' => true
    'group_id' => null
    'enterprise_id' => (int) 0
    'created' => object(Cake\I18n\DateTime) id:2 {
      'hasFixedNow' => false
      'time' => '2023-12-30 19:05:29.000000'
      'timezone' => 'America/Argentina/Buenos_Aires'
    'modified' => object(Cake\I18n\DateTime) id:3 {
      'hasFixedNow' => false
      'time' => '2023-12-31 11:40:43.000000'
      'timezone' => 'America/Argentina/Buenos_Aires'
    'additional_data' => null
    'last_login' => null
    '[new]' => false
    '[accessible]' => [
      '*' => true,
      'id' => false,
      'is_superuser' => false,
      'role' => false,
    '[dirty]' => [
    '[original]' => [
    '[originalFields]' => [
      (int) 0 => 'id',
      (int) 1 => 'username',
      (int) 2 => 'email',
      (int) 3 => 'password',
      (int) 4 => 'first_name',
      (int) 5 => 'last_name',
      (int) 6 => 'token',
      (int) 7 => 'token_expires',
      (int) 8 => 'api_token',
      (int) 9 => 'activation_date',
      (int) 10 => 'secret',
      (int) 11 => 'secret_verified',
      (int) 12 => 'tos_date',
      (int) 13 => 'active',
      (int) 14 => 'is_superuser',
      (int) 15 => 'group_id',
      (int) 16 => 'enterprise_id',
      (int) 17 => 'created',
      (int) 18 => 'modified',
      (int) 19 => 'additional_data',
      (int) 20 => 'last_login',
    '[virtual]' => [
    '[hasErrors]' => false
    '[errors]' => [
    '[invalid]' => [
    '[repository]' => 'Users'
  protected _errors => [

This is the code for login action:

	public function login()
		$this->Observations = $this->fetchTable('Observations');
        $service = $this->request->getAttribute('authentication');
        $result = $service->getResult();
        if ($result->isValid()) {
            $user = $this->request->getAttribute('identity')->getOriginalData();
			$now = DateTime::now();
			$user->last_login = $now;
			$observations = $this->Observations->newEmptyEntity();
			$user_id = $user->id;
			$username = $user->username;
			$observations->user_id = $user_id;
			$observations->observation = __('El usuario {0} ha ingresado al sistema', $username);

			$target = $this->Authentication->getLoginRedirect() ?? '/home';
			return $this->redirect($target);
        if ($request->is('post')) {
			$this->Flash->error(__('Nombre de usuario o contraseña incorrectos.'));
		$countGroups = $this->MyUsers->Groups->find('all')->count();
		$this->set('countGroups', $countGroups);
		$countUsers = $this->MyUsers->find('all')->count();
		$this->set('countUsers', $countUsers);

How can I solve this issue?

I found out what is the problem, I have this code in users.php:

        'RememberMe' => [
            // configure Remember Me component
            'active' => true,
            'checked' => true,
            'Cookie' => [
                'name' => 'remember_me',
                'Config' => [
                    'expires' => new \DateTime('+1 month'),
                    'httponly' => true,

I put all in false and tried to delete the cookie in logout action but is not working, is still relogging the user into the site.
This is the code for logout action:

	public function logout()
		$this->Observations = $this->fetchTable('Observations');
		$cookies = $this->response->getCookieCollection();
		$cookies = $cookies->remove('remember_me');
		$observations = $this->Observations->newEmptyEntity();
		$observations->user_id = $this->user_id;
		$observations->observation = __('El usuario {0} salió del sistema', $this->username);
        $this->Flash->success(__d('cake_d_c/users', 'You\'ve successfully logged out'));
		return $this->redirect($this->Authentication->logout());

How can I solve this issue?

I don’t know why you are going through all this trouble manually because pretty much everything you do besides the newly created Observations entity will happen automatically via


You don’t need to manually remove the remember_me Cookie and you don’t need to manually destroy the session because both of these actions happen through

and therefore respectivley in the CookieAuthenticator as well as the SessionAuthenticator

and no, I did not provide you these links to copy-paste these code blocks into your app. I just want to show you where these kinds of logic are already present inside the authentication plugin and that you shouldn’t need to worry about that.

If it doesn’t do that for you then you have something very weird going on in your app which I can’t tell how to fix since its specific to your app.

I think I did a pretty good job explaining the difference between session authenticator and cookie authenticator in my workshop from 2022. You will need to debug this yourself and see what your app doesn’t do.

Thanks for your answer, what a pity you can’t help me, I am stuck with this and don’t know how to proceed.

Is there someone who can help me with this? Maybe someone has an idea of where could be the problem, sorry for the insistence, but I need to solve this issue for next tuesday, thanks in advance for the help.