[Security] Add docs about success handlers for login and logout

[Seldaek]

Johannes says it's not recommended to use security.interactive_login for redirections and such because they should not apply to all firewalls, and not all auth types. In any case, if you ignore that and do it anyway, there is no event for logout, so you get stuck eventually if you try to cover that as well.

[weaverryan]

+1 - a quick cookbook article on using both the success_handler under something like form login as well as for logout would be cool. For example, maybe on login you want to redirect to an account page if that user has some property. An on logout, maybe you do something (anyone think of a nice use-case here?) before redirecting, maybe to some page based on custom logic.

[Seldaek]

The main use case I've had for logout is to reply with json instead of a redirect on ajax logout.

[Sgoettschkes]

I would write this and I'm trying to understand the handlers right now. One thing I don't understand is the constructor signature of the DefaultAuthenticationSuccessHandler. It has an $options parameter, but as it is used with the DI-Container, I don't see any way to pass any options. Does anybody know how this is supposed to work?

[Sgoettschkes]

Actually, nevermind. I could overwrite the defaults passed to the service in my code. Makes sense to me. I'll see if I find the time tonight to write something!

As for a use case, I thought about saving the last successfull login and logout in the user object as an example. It's not what many people will end up doing, but it shows the usage of both handlers ans is short enough to not confuse people. If you got another idea please let me know!

[wouterj]

Closing in favor of #4258, which contains a lot more details on how to fix it