I have built a website with symfony 2.8, I use FOSUserBundle for authentication, user management etc, and I have an issue that I can solve.
For no apparent reason to me, the "rememberme" cookie won't act like as expected.
I pretty sure I've just missed a config parameter in some way but I'm looking for it since hours and can't find it.
I'm using php 7.0 on an apache 2.0 server.
There is my config.yml file (in most part) :
framework:
#esi: ~
translator: { fallbacks: ["%locale%"] }
secret: "%secret%"
router:
resource: "%kernel.root_dir%/config/routing.yml"
strict_requirements: ~
form: ~
csrf_protection: ~
validation: { enable_annotations: true }
#serializer: { enable_annotations: true }
templating:
engines: ['twig']
default_locale: "%locale%"
trusted_hosts: ~
trusted_proxies: ~
session:
# handler_id set to null will use default session handler from php.ini
handler_id: ~
save_path: "%kernel.root_dir%/sessions/"
fragments: ~
http_method_override: true
...
fos_user:
db_driver: orm
firewall_name: main
user_class: UserBundle\Entity\User
from_email:
address: "%email_referer%"
sender_name: "App"
group:
group_class: UserBundle\Entity\Group
group_manager: sonata.user.orm.group_manager
resetting:
email:
template: :mail:resetting_password.html.twig
service:
mailer: fos_user.mailer.twig_swift
user_manager: sonata.user.orm.user_manager
And there is my security.yml :
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_CHAMPION: [ROLE_USER]
ROLE_ENTREPRISE: [ROLE_USER]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN, ROLE_A, ROLE_B]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT
providers:
fos_userbundle:
id: fos_user.user_manager
firewalls:
admin:
pattern: ^/admin
context: user
form_login:
provider: fos_userbundle
login_path: login
use_forward: true
check_path: sonata_user_admin_security_check
failure_path: null
default_target_path: sonata_admin_dashboard
logout:
path: sonata_user_admin_security_logout
target: homepage
invalidate_session: false
anonymous: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: login
use_forward: false
check_path: /login_check
failure_path: null
csrf_token_generator: security.csrf.token_manager
default_target_path: profile
logout:
path: logout
target: homepage
invalidate_session: false
anonymous: true
remember_me:
secret: '%secret%'
lifetime: 15724800 # 6 months
path: /
domain: ~
secure: true
access_control:
# Some public pages
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/cgu$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/cgv$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/contact$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/faq$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/connexion, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be accessed without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
# Partie connectée
- { path: ^/, role: IS_AUTHENTICATED_REMEMBERED }
acl:
connection: default
EDIT:
I did some tests and it appears that my REMEMBERME cookie is not deleted, its still here, with the same startdate and enddate than before.
So, I can close and open my browser, the cookie is still here and when I do this I'm still authenticated (and can go to the admin). But when I just stay "idle" for a period of time and I want to access to the admin section, I'm redirected to the login page.
The REMEMBERME cookie still exists, but at this point, I can't access to the page I could when I was starting my browser.
EDIT 2 :
It appears the session lifetime is the "cause" of my problems. But what I want is that when a user check "Remember me" option he has no longer need to login again, even if he keep a tab of my site open for x days in background (like a mobile browser do). How can I do that ?
EDIT 16/08/2017 :
I've added a line in my security.yml file :
domain: ~
It appears that this line make the system work. The issue is no longer detected on my computer with Chrome and Firefox (in case one of these two was playing with my cookies).
PS : I will update this ticket in some days, to "validate" it, if the problem don't show up again.
I think you are talking about your session lifetime more than remember me feature.
In your config.yml you can configure the framework to use a custom session lifetime.
framework:
session:
cookie_lifetime: 3600
If this configuration is not set, the value from your php.ini will be used.
Hope it helps.
The issue no longer appears, the solution seems to be the "domain" parameter :
domain: ~
Related
I would like to implement a Remember me feature. Since I didn't get any custom authenticator, I added one.
After adding it, I faced some issues about redirections. On the navigator, the page is looping between "login" page and my destination page.
This loop ends in a
ERR_TOO_MANY_REDIRECTS error.
This error only occurs on page that requires user being logged.
Symfony version: 5.4.
security.yaml
security:
password_hashers:
App\Entity\User: 'auto'
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: 'auto'
cost: 15
providers:
app_user_provider:
entity:
class: App\Entity\User
property: email
enable_authenticator_manager: true
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
provider: app_user_provider
custom_authenticators:
- App\Security\CustomAuthenticator
form_login:
login_path: app_login
check_path: app_login
use_referer: true
logout:
path: app_logout
target: index
user_checker: App\Security\UserChecker
remember_me:
secret: '%kernel.secret%' # required
lifetime: 604800 # 1 week in seconds
signature_properties: ['password']
secured_area:
form_login:
enable_csrf: true
access_control:
- { path: '^/admin', roles: IS_AUTHENTICATED_FULLY }
- { path: '^/tableau-de-bord', roles: IS_AUTHENTICATED_FULLY }
- { path: '^/profil', roles: IS_AUTHENTICATED_FULLY }
- { path: '^/dashboard', roles: IS_AUTHENTICATED_FULLY }
- { path: '^/profile', roles: IS_AUTHENTICATED_FULLY }
In the access_control section, try replacing IS_AUTHENTICATED_FULLY by IS_AUTHENTICATED_REMEMBERED:
security.yaml
security:
...
access_control:
- { path: '^/admin', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/tableau-de-bord', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/profil', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/dashboard', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/profile', roles: IS_AUTHENTICATED_REMEMBERED }
From the doc:
IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.
I've been having an issue with Symfony 3.3.9. Sometimes, not always, when a user logs in with the correct username and password, it redirects to the main page like it should, but then back to the login page.
I know the user is logged in because I can grab the user's information with twig from the login page.
It is really strange, because this doesn't happen all the time. It seems random and difficult to reproduce.
I've been looking into this issue for days and can't figure out why this is happening. Looking for some suggestions.
Thanks.
Edit-1 added code
Edit-2
When I get redirected to the login, I've tried typing the main page url to manually go there. This doesn't work, even though I am logged in. If I wait a minute or so however, this does work.
I'm using the FOS user bundle
here's my config.yml
# fos bundle
fos_user:
db_driver: orm
firewall_name: main
user_class: Acme\Entity\User
here's my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_EMPLOYEE: [ROLE_USER]
ROLE_MANAGER: [ROLE_EMPLOYEE]
ROLE_ADMIN: [ROLE_MANAGER]
ROLE_SUPER_ADMIN: [ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
always_use_default_target_path: true
default_target_path: after_login
# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider
logout: true
anonymous: true
switch_user: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/administration/roe, role: ROLE_ADMIN }
- { path: ^/administration/generateaccessemployees, role: ROLE_ADMIN }
- { path: ^/administration/location, role: ROLE_ADMIN }
- { path: ^/administration/payroll/closepp, role: ROLE_ADMIN }
- { path: ^/administration/t4, role: ROLE_ADMIN }
- { path: ^/administration/eft, role: ROLE_ADMIN }
- { path: ^/administration/stubmessage, role: ROLE_ADMIN }
- { path: ^/administration/payroll_reminder, role: ROLE_ADMIN }
- { path: ^/administration, role: ROLE_MANAGER }
- { path: ^/admin/exit_impersonation, role: ROLE_PREVIOUS_ADMIN }
- { path: ^/admin, role: ROLE_SUPER_ADMIN }
In my login_content.html.twig, I'm able to see:
{{ app.user.username }}
Definitely would need to see some code, more specifically to help get to the root of the problem whatever function is run on login.
EDIT:
In the security.yml you can specify a login_path, in example:
my_firewall:
pattern: ^/(secured_area)/
provider: my_provider
anonymous: ~
form_login:
login_path: my_login_path
default_target_path: /dashboard
And in the routing.yml you can map the route as:
my_login_path:
pattern: /my/relative/url/for/login
defaults: { _controller: MySecurityBundle:Security:login }
then you can use an a normal route, in you specific case:
return $this->forward($this->generateUrl('my_login_path'));
The only reason I suggest this is because default routing after login is causing issues for you.
I switched to my prod environemnt today and started testing. Everything is working great with my admin user. The problem is when I switch to another user, that has a role PROVIDER. This user is only able to add products or import them in admin panel. However, when I go to admin dashboard I get these errors:
Warning: Missing argument 1 for Sonata\AdminBundle\Admin\Admin::__construct(), called in C:\wamp\www\karpedeal_b2c\vendor\ed\blog-bundle\Security\Authorization\Voter\ArticleVoter.php on line 37 and defined in C:\wamp\www\karpedeal_b2c\app\cache\prod\classes.php on line 5473
No idea whats going on since in DEV environment everything works. I can login with provider user, import products etc... in prod, i cant.
For some reason it is trying to access somethin in the blog bundle, however this user does not have any rights to blogs... What is the problem then?
role_hierarchy:
ROLE_PROVIDER: [ROLE_USER, ROLE_SONATA_PROVIDER]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_PROVIDER, ROLE_SONATA_ADMIN, ROLE_BLOG_USER, ROLE_BLOG_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
ROLE_SONATA_PROVIDER:
- ROLE_MP_SHOP_ADMIN_PRODUCT_LIST
- ROLE_MP_SHOP_ADMIN_PRODUCT_VIEW
- ROLE_MP_SHOP_ADMIN_IMPORTER_LIST
- ROLE_MP_SHOP_ADMIN_IMPORT_SCHEMA_CREATE
- ROLE_MP_SHOP_ADMIN_IMPORT_SCHEMA_LIST
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT # if you are using acl then this line must be commented
ROLE_SONATA_EMPLOYEE:
- ROLE_MP_SHOP_ADMIN_PRODUCT_LIST
- ROLE_MP_SHOP_ADMIN_PRODUCT_VIEW
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
anonymous: true
main:
pattern: ^/
context: user
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
#use_forward: false
check_path: fos_user_security_check
#failure_path: null
always_use_default_target_path: false
default_target_path: profile
logout:
path: fos_user_security_logout
oauth:
resource_owners:
facebook: "/login/check-facebook"
login_path: /login
failure_path: /login
oauth_user_provider:
service: my_user_provider
anonymous: true
default:
anonymous: ~
# activate different ways to authenticate
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_PROVIDER, ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_SONATA_PROVIDER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
acl:
connection: default
UPDATE:
When changing AppKernel $kernel = new AppKernel('prod', true);everything works, so the debugger is causing the problems? How can that be?
I use SonataAdminBundle, but I have a some trouble. When I log as admin and then loging put, I still can acces to dashboard panel, and in profile displays like I am authenticated as admin. What I am doing wrong and how I can solve this issue ? Thanks!
Configure security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT # if you are using acl then this line must be commented
providers:
fos_userbundle:
id: fos_user.user_manager
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
default_target_path: /admin/dashboard
logout:
path: /admin/logout
target: /admin/login
anonymous: true
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
Regards.
I'm currently trying to implement the remember me functionality in a Symfony2 project following this guide http://symfony.com/doc/master/cookbook/security/remember_me.html.
(I'm currently developing in locale)
So my currently configuration in the security.yml is:
form_login:
[...]
remember_me: true
remember_me:
key: secretKey
lifetime: 31536000 # 365 days in seconds
path: /
domain: localhost # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login-check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: [IS_AUTHENTICATED_REMEMBERED, ROLE_ADMIN] }
The "REMEMBERME" cookie is created at login and it's still present after I close the browser window. When I open the browser again the cookie is still there, but it gets deleted when I try to access the /admin path and then I get redirected to the login page.
Can't really get my head around is...has anybody encountered problems like this?
Thanks
Maybe there is another rule matched in your access_control
from here: http://symfony.com/doc/current/book/security.html#securing-url-patterns-access-control
You can define as many URL patterns as you need - each is a regular expression. BUT, only one will be matched...
Also read this: http://symfony.com/doc/current/cookbook/security/access_control.html
Basic solution
"Remember me" function in FosUserBundle 1.3.5 (with Symfony 2.6) works for me. I just want to be logged in on my page (see user name, picture ...), after browser was closed.
There is a difference between 'IS_AUTHENTICATED_FULLY' and 'IS_AUTHENTICATED_REMEMBERED'.
In my twig:
{% if is_granted('IS_AUTHENTICATED_REMEMBERED') %}
...
{% endif %}
In my security.yml I used default configuration from Symfony Cookbook (How to Add "Remember Me" Login Functionality). Otherwise it is plain security.yml form FossUserBundle Github documentation.
# app/config/security.yml
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
P.S I have to clear:cache to have it work in IE11