Symfony 4 Remember Me doesn't work, the cookie is destroyed when browser reboot

Question

I have an issue very similar to : Symfony Remember Me doesn't work, the cookie is destroyed when browser reboot

Unfortunately, their solution doesn’t fix it in Symfony 4.

After the user logs in, the cookie "REMEMBERME" is created. If I reboot my browser, I can still see my cookie but when I access a page under the security IS_AUTHENTICATED_REMEMBERED , it does not work and I’m redirected to the log in page, the cookie is then destroyed and the user has to log in again.

I have been developing the authentication process as explained on the official documentation (to the book really, no fancy customization, no FOSUSERBUNDLE).

You can find my service.yaml built like in the documentation

security:
encoders:
    App\Entity\User:
        algorithm: bcrypt
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
    in_memory: { memory: ~ }
    our_db_provider:
        entity:
            class: App\Entity\User
            property: email
firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main:
        pattern:    ^/
        http_basic: ~
        provider: our_db_provider
        anonymous: ~
        form_login:
            login_path: login
            check_path: login
            default_target_path: dashboard
        remember_me:
            secret:   '%kernel.secret%'
            lifetime: 604800 # 1 week in seconds
            path:     /
            secure:   true
            name:     REMEMBERME
            remember_me_parameter: _remember_me
        logout:
            path:  /logout
            target: /
    secured_area:
        form_login:
            csrf_token_generator: security.csrf.token_manager
            provider: our_db_provider
        logout:
            path:   /logout
            target: /

role_hierarchy:
        ROLE_ADMIN:      ROLE_USER
access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/profile, roles: IS_AUTHENTICATED_REMEMBERED }

My login function is as detailed in the documentation as well

public function login(Request $request, AuthenticationUtils $authenticationUtils)
{
    // get the login error if there is one
    $error = $authenticationUtils->getLastAuthenticationError();

    // last username entered by the user
    $lastEmail = $authenticationUtils->getLastUsername();

    return $this->render('platform/user/login.html.twig', [
        'last_email' => $lastEmail,
        'error'         => $error,
    ]);
}

I have tried to replace ROLE_USER by IS_AUTHENTICATED_REMEMBERED in my routes (I don’t understand what exactly is the difference tho I read their doc about it) but nothing changed. The cookie is here but It still doesn’t help me to stay logged in.

Any help here is much appreciated. I’d love to have the remember me feature work on my app. Many thanks.

Answer 1

If the cookie is available but you are not successfully authenticated, maybe check that are your auth tests(!) ok?

IS_AUTHENTICATED_REMEMBERED will be true, but IS_AUTHENTICATED_FULLY is false, because the second one excludes the remember me cookie authenticated users.

( Read again the doc and change your authentication checker codes )

Check other things too:

• Did you do/force a reauthentication?
• Login form contains the crfs token and the remember me checkbox?
• Check all other remember me parameters too (change the default values)
• Is the last used username successfully filled in the login form?