Reputation: 577
I'm building a custom GuardAuthenticator to login with a token on a specific route. According to the documentation if supportsRememberMe()
returns true
and remember_me
is activated in the firewall, the remember me cookie should be set, but it's not (although it is set if I use a form login authentication on another route).
The route:
* @Route("/login/token/{id}/{token}/{force}", defaults={"force"=0}, name="login_token")
public function loginToken()
The GuardAuthenticator:
namespace App\Security;
use App\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use Symfony\Component\Security\Http\Util\TargetPathTrait;
class TokenLoginAuthenticator extends AbstractGuardAuthenticator
use TargetPathTrait;
private $em;
private $force;
public function __construct(EntityManagerInterface $em)
$this->em = $em;
public function supports(Request $request)
return 'login_token' === $request->attributes->get('_route') && $request->isMethod('GET');
public function getCredentials(Request $request)
$credentials = [
'id' => $request->attributes->get('id'),
'token' => $request->attributes->get('token')
$this->force = $request->attributes->get('force');
return $credentials;
public function getUser($credentials, UserProviderInterface $userProvider)
$user = $this->em->getRepository(User::class)->find($credentials['id']);
if (!$user) {
// fail authentication with a custom error
throw new CustomUserMessageAuthenticationException('No user found.');
return $user;
public function checkCredentials($credentials, UserInterface $user)
if ($user->getToken() === $credentials['token']) {
return true;
throw new HttpException(403, "Forbidden");
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
if ($targetPath = $this->getTargetPath($request->getSession(), $providerKey)) {
return new RedirectResponse($targetPath);
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
throw new HttpException(403, "Forbidden");
public function start(Request $request, AuthenticationException $authException = null)
public function supportsRememberMe()
return true;
The security config:
id: 'App\Security\PasswordEncoder'
in_memory: { memory: ~ }
class: App\Entity\User
property: email
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
anonymous: true
login_path: login
check_path: login
provider: orm
csrf_token_generator: security.csrf.token_manager
default_target_path: homepage
path: /logout
target: /
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
path: /
# by default, the feature is enablered by checking a
# checkbox in the login form (see below), uncomment the
# following line to always enable it.
# always_remember_me: true
provider: orm
- App\Security\TokenLoginAuthenticator
Upvotes: 1
Views: 1300
Reputation: 11
In Symfony 5.2.6 dont forget to add new RememberMeBadge() to the authenticate function:
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
class LoginFormAuthenticator extends AbstractLoginFormAuthenticator
public function authenticate(Request $request): PassportInterface
$email = $request->request->get('email', '');
$request->getSession()->set(Security::LAST_USERNAME, $email);
return new Passport(
new UserBadge($email),
new PasswordCredentials($request->request->get('password', '')),
new CsrfTokenBadge('authenticate', $request->get('_csrf_token')),
new RememberMeBadge(),
Upvotes: 1
Reputation: 577
Remember me cookie will be set if all of the following are met:
method returns true
key in the firewall is configured._remember_me
parameter is sent in the request. This is usually done by having a _remember_me
checkbox in a login form (but it can be sent as url param (?_remember_me=1
), or we can configure the firewall remember_me
key to always_remember_me
method returns a Response object.Upvotes: 0