CODEWITHSUNDEEP
symfonyfosuserbundle
xfscrypt
xfscrypt

Reputation: 276

Symfony 3: RememberMe Cookie is not set

In my Symfony 3 app I have my login page at the root url "/" (and therefor not "/login".

Unfortunately the app is not setting the REMEMBER_ME cookie although its properly configured in security.yml:

# To get started with security, check out the documentation:
# http://symfony.com/doc/current/book/security.html
security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
            fos_userbundle:
                id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt|error)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
                check_path: /login_check
                login_path: /
                default_target_path:  /home
                use_forward:    false
                failure_path:   null
                failure_handler: ccdn_user_security.component.authentication.handler.login_failure_handler
                require_previous_session: false
            logout:
                path:   /logout
                target: /
            security: true
            anonymous:
                secret:  "%secret%"
            remember_me:
                secret: "%secret%"
                lifetime: 604800 # 1 week in seconds
                path:     /
                secure: true
            switch_user: true

    access_control:
        - { path: ^/admin, role: ROLE_ADMIN,requires_channel: "%protocol%" }
        - { path: ^/user, roles: ROLE_USER, requires_channel: "%protocol%"}
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: "%protocol%" }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: "%protocol%" }
        - { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: "%protocol%" }

I don't have listeners setup of any kind which was something that this OP was running into: Symfony2: remember me token is not set

I have adjusted the SecurityController of the FOSUserBundle as follows:

/**
 * Controllers for Anonymous Index Page
 */
class SecurityController extends BaseController
{
    /**
     * @param Request $request
     *
     * @return Response
     */
    public function loginAction(Request $request)
    {
        $securityContext = $this->container->get('security.authorization_checker');

        if ( $securityContext->isGranted('IS_AUTHENTICATED_REMEMBERED') or $securityContext->isGranted('IS_AUTHENTICATED_FULLY') ) {
            return $this->redirect($this->generateUrl('home'));
        }

        $response = parent::loginAction($request);
        return $response;

    }
}

but as u can see this is just redirecting the user in case he is already logged in.

However the AuthenticationListener shipped with the FOSUserBundle never seems to be triggered.

Finally, in case u need it, this is my remember me widget in the login form:

   <div class="checkbox checkbox-css m-b-30">
          <input name="_remember_me" checked type="checkbox" id="remember_me_checkbox" />
          <label for="remember_me_checkbox">Onthoudt mij</label>
   </div>

Does anyone have an idea why the cookie is not being set? The users are automatically logged out after 20 min or so. I guess this is because of the PHP session expiry?

Upvotes: 0

Views: 830

Answers (1)

Jovan Perovic
Jovan Perovic

Reputation: 20193

Answer based on the comment section:

The secure: true means the cookie will only be sent over secure connection. You may want to remove this line, for testing purposes, or to check if your web server has been properly configured to handle https traffic.

Make sure you visit your app via https. I am not sure if self-signed cert could potentially have any impact on this. Based on Gumbo's answer from https://stackoverflow.com/a/9606871/662615, it should not have...

Another thing: in order to prevent premature logout, increase your session timeout instead. AFAIK, the remember_me only helps if user goes away during the session duration...

Hope this helps...

Upvotes: 2

Related Questions