Login/Register
Symfony FOSUserBundle Remeber me doesn't work
Asked Answered
Solved symfonyfosuserbundleremember-mesymfony-3.2
U

1

0

I'm using FOSUserBundle with email as username.

Tryin' to use the remember_me functionality but it's not working. I've read this Symfony2: "Remember me" tries to authenticate by username instad of email

It's quite an old article and the username field in the database is set with the same value as the email so i don't understand why it is not working.

Checking with Google Chrome Inspector the REMEMBERME cookie is set...

Can someone help?

This is my security.yaml

providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
            logout:       true
            anonymous:    true
            remember_me:
                secret:   '%secret%'
                lifetime: 604800 # 1 week in seconds
                path:     /
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

    access_control:
        - { path: ^/$, role: IS_AUTHENTICATED_FULLY }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/account/*, role: IS_AUTHENTICATED_FULLY }
        - { path: ^/admin/*, role: ROLE_ADMIN }
Urgent answered 23/5, 2017 at 15:8 Comment(0)
U
0

Ok, it's a role configuration problem.

According to the documentation:

  • IS_AUTHENTICATED_ANONYMOUSLY: All users (even anonymous ones) have this

  • IS_AUTHENTICATED_REMEMBERED: All logged in users have this, even if they are logged in because of a "remember me cookie". Even if you don't use the remember me functionality, you can use this to check if the user is logged in.

  • IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in
    only because of a "remember me cookie" will have
    IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.

So, in my security.yml, trying to access to path "^/$" and "^/account/*" after closing the browser was not possible because of the IS_AUTHENTICATED_FULLY request.

I've changed it into this

access_control:
        - { path: ^/$, roles: IS_AUTHENTICATED_REMEMBERED }
        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/account/*, roles: IS_AUTHENTICATED_FULLY }
        - { path: ^/admin/*, roles: [IS_AUTHENTICATED_FULLY, ROLE_ADMIN] }

Now i can access to "^/$" path with the REMEMBERME cookie but not to "^/account/" and "^/admin/" that are more restrictive because of the sensitive data (and it's exactly what i wanted).

Urgent answered 24/5, 2017 at 6:53 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.