Remember Me functionality not working in Symfony2

Z

10

13

I have implemented remember me functionality in Symfony2. When I log in with remember me box checked, cookie named "REMEMBERME" gets created. That cookie is also available if I close browser and open it after many hours. But when I load home page of my application, the cookie gets automatically deleted and I see no user logged in. Can anyone explain me the reason for cookie deletion?

remember_me:
          key:      qwerty
          lifetime: 604800
          path:     /
          domain:   ~

This is my security.yml file section

EDIT: I have still not found the solution to this question...

EDIT2: Now got new problem. The REMEMBERME cookie does not get set at all. How to solve this??

SOLVED: see answer below

Zoes answered 18/9, 2011 at 5:55 Comment(1)

Possible duplicate of: #6471494 – Pleiad 15/10, 2011 at 17:0

C

11

John.

I've the same issue as you do (or did), what I've found is that when I am (Symfony2 actually =) ) setting REMEMBERME cookie on line 101 at /vendor/symfony/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeService.php file $user->getPassword() returns NULL, so cookie gets hash calculated with NULL password value.

What happening next, is when you returning to your site being fully confident that you will be automatically authenticated, Symfony begins to check your cookie at the same file as above but on line 58 it founds that cookie hash is not the same as it expects and throws an exception('The cookie\'s hash is invalid.') internally catches it and proceeds somewhere.

So that is the case why in my case cookie doesn't work.

I haven't found a solution yet, but I will dig for it and may be I'm lucky.

Hope your issue is the same and solution will help us both.

The Solution:

When implementing eraseCredentials() which claims to be used to erase user sensitive data from UserInterface do not perform $this->password = null. I've made this mistake because I haven't being understanding its purpose. You can take a glance at Symfony 2 Logout (UserInterface::eraseCredentials) for a little bit of explanation. So it serializes token object and we are in trouble.

Candycandyce answered 11/2, 2012 at 11:28 Comment(2)

Thanks for the answer, but I have got a brand new problem. Now remember me cookie does not get set at all. :-( any idea?? – Zoes 12/2, 2012 at 16:9

Setting username to null also causes this problem. – Asserted 27/5, 2014 at 8:19

D

13

Although this question has already been answered, I would like to contribute a possible solution, if only for posterity and Google search referrals for this problem :)

"The issue is simple: a remembered used does not have the IS_AUTHENTICATED_FULLY role but only IS_AUTHENTICATED_REMEMBERED to make a difference between a remembered user and a user who logged in"

Source: http://www.mail-archive.com/[email protected]/msg34021.html

What this means is that in your security configuration, you must make sure that for every ACL entry the IS_AUTHENTICATED_REMEMBERED role is configured in addition to the IS_AUTHENTICATED_FULLY role.

For example:

#app/config/security.yml
security:
    ...
    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: [IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED] }

Dido answered 11/6, 2012 at 19:39 Comment(3)

Good to know that IS_AUTHENTICATED_REMEMBERED and IS_AUTHENTICATED_FULLY are mutually exclusive. – Dire 25/10, 2012 at 13:59

Looks like trailing slash at the end of "/admin/" is also important. – Eradicate 15/6, 2014 at 13:20

IS_AUTHENTICATED_FULLY and IS_AUTHENTICATED_REMEMBERED don't need to be added together, they are a heirarchy (FULLY > REMEMBERED > ANONYMOUSLY). In this case, only IS_AUTHENTICATED_REMEMBERED is needed. – Bargeboard 24/1, 2015 at 19:40

C

11

John.

I've the same issue as you do (or did), what I've found is that when I am (Symfony2 actually =) ) setting REMEMBERME cookie on line 101 at /vendor/symfony/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeService.php file $user->getPassword() returns NULL, so cookie gets hash calculated with NULL password value.

What happening next, is when you returning to your site being fully confident that you will be automatically authenticated, Symfony begins to check your cookie at the same file as above but on line 58 it founds that cookie hash is not the same as it expects and throws an exception('The cookie\'s hash is invalid.') internally catches it and proceeds somewhere.

So that is the case why in my case cookie doesn't work.

I haven't found a solution yet, but I will dig for it and may be I'm lucky.

Hope your issue is the same and solution will help us both.

The Solution:

When implementing eraseCredentials() which claims to be used to erase user sensitive data from UserInterface do not perform $this->password = null. I've made this mistake because I haven't being understanding its purpose. You can take a glance at Symfony 2 Logout (UserInterface::eraseCredentials) for a little bit of explanation. So it serializes token object and we are in trouble.

Candycandyce answered 11/2, 2012 at 11:28 Comment(2)

Thanks for the answer, but I have got a brand new problem. Now remember me cookie does not get set at all. :-( any idea?? – Zoes 12/2, 2012 at 16:9

Setting username to null also causes this problem. – Asserted 27/5, 2014 at 8:19

W

1

I had this problem and the issue was that I did not use single quotation marks in the property key of remember_me section (security.yml).

Change this:

remember_me:
    key:      qwerty
    lifetime: 604800
    path:     /
    domain:   ~

to this:

remember_me:
    key:      'qwerty'
    lifetime: 604800
    path:     /
    domain:   ~

You can check it in the symfony documentation:
http://symfony.com/doc/2.7/cookbook/security/remember_me.html

Winze answered 26/2, 2016 at 15:14 Comment(0)

C

0

try to increase your session lifetime: (config.yml)

  framework:
    session:
        default_locale: %locale%
        auto_start:     true
        lifetime:       604800

Cornejo answered 15/1, 2012 at 12:51 Comment(4)

that is not the way to add remember me functionality.... and this also does not work after browser close and reopen – Zoes 3/2, 2012 at 16:54

that is not the way to add remember me functionality, but it's for the cookies session lifetime. With my configuration the session is alive after browser restart. Sorry, i don't know what is different with your configuration. – Cornejo 4/2, 2012 at 17:33

This is bad, don't do it. It won't scale. – Myrt 15/7, 2013 at 23:42

@Cornejo "the session is alive after browser restart". True, but we want session to be alive after browser restart only if the remember me option is checked, not always. – Lousy 9/11, 2016 at 6:52

A

0

In my case it was a wrong implementation of the supportsClass method of my userProvider, which in turn caused an exception in the TokenBasedRememberMeService class on line 43 (thrown by getUserProvider, and catched elsewhere, thus failing silently). Digging in the path shown by Dmitry made me solve the issue.

Agler answered 29/8, 2013 at 23:47 Comment(0)

T

0

In my case I have implemented a custom Login Handler which was returning a RedirectResponse as per documentation. It turns out that that makes Symfony to bypass the standard login routine, and causing the REMEMBERME cookie not been created/stored.

I had to remove the Login Handler, implement a custom Login Listener with all needed logic.

You can see how to implement a Login Listener here

Transpire answered 9/1, 2017 at 8:31 Comment(0)

U

0

You should also make sure your "remember_me" input in the login form does not have the value attribute:

This is correct:

<input type="checkbox" id="remember_me" name="_remember_me" />

But this will not work:

<input type="checkbox" id="remember_me" name="_remember_me" value="" />

If you are using form_login, check also that remember_me is enabled in security.yml:

firewalls:
    main:
        form_login:
            # ...
            remember_me: true

Unpile answered 10/1, 2017 at 10:34 Comment(0)

J

0

I had the same issue. After investigation I found that : /vendor/symfony/doctrine-bridge/Security/User/EntityUserProvider.php::loadUserByUsername() requires to either have set the property field on your entity user provider or that your repository implements Symfony\Bridge\Doctrine\Security\User\UserLoaderInterface and has a method loadUserByUsername().

I just added the property field like so :

providers:
    user_provider:
        entity:
            class: App\Entity\User
            property: email

Jayejaylene answered 27/4, 2018 at 7:12 Comment(0)

L

0

I'm using Symfony 4 and I had a similar problem, the REMEMBERME cookies was not set.

My issue was that I had a value="" set to the input type checkbox field.

So I changed from this

<input type="checkbox" value="" id="remember_me" name="_remember_me">

to this

<input type="checkbox" id="remember_me" name="_remember_me">

Latter answered 6/8, 2018 at 13:25 Comment(0)

D

0

In my case, the authenticators was overided with the method supportsRememberMe:

public function supportsRememberMe()
{
    return true; // change it to true
}

Deeannadeeanne answered 4/1, 2019 at 13:37 Comment(0)

Recommended topics

Hot tags