I have an AJAX worker they is called a API url every second. After 250-300 seconds, I don't get a valid response or a profile-token in case of the user was logged out. I have already configured the cookie_lifetime to 0 but it made no difference. Here's also my security.yml:
firewalls:
main:
pattern: ^/
anonymous: true
form_login:
login_path: /home
logout:
path: logout
handler: app.custom_logout
target: /home
The weird thing is, it seems completely random when a session expires. I have also reached over 1000 AJAX calls and on the other side only 300 calls.
I hope any one of you can help me.
PS: The AJAX calls are not only a JSON response, there are full generated twig templates (including a profiler).
I've found an answer for my question by myself.
You need to configure the gc_divisor, gc_probability and gc_maxlifetime. For example:
session:
cookie_lifetime: 0
gc_divisor: 10000
gc_probability: 1
gc_maxlifetime: 604800
After this configuration in your config.yml the chance that your session expire (because you have set cookie_lifetime to a specific time) is equal to zero.
Also have a look to the Symfony documentation of sessions: http://symfony.com/doc/current/reference/configuration/framework.html#session
Related
in my Symfony 4 project I am using default FOSUSerBundle configuration which looks llike this:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/login #problem here
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
success_handler: fos_authentication_handler
failure_handler: fos_authentication_handler
logout: true
anonymous: true
So when I use pattern: ^/ it works fine, but when I do it like this: pattern: ^/login it prevents me from logging in saying that variable _SESSION is undefined. In my controller I am using the following code which works fine when firewall pattern is '^/':
$this->get("session")->save();
I dont want it to block the base route of my site ('mysite.com/') and I want to implement custom logic there. Any ideas how to fix it would be welcome. Thank you.
issue solved
finally I undertand that firewall pattern means pattern which covers all routing naming for the entire site. If it starts with '^/login', all other routes starting not with login wont be covered by firewall and thus error appears. Moreover, I got my index path under restricted access in security.yml so it threw the following error.
I want to include the logged in user's id to my logger.
So I have added a monolog.processor that adds the user id to the 'extra'-portion of the record, and added a custom format string that displays the id.
On my dev environment this works (mostly) as expected, but on the test environment it does not work at all, the TokenStorage always returns null on getToken().
There are no specific security configs for dev or test. The biggest differences between the configs is this part:
framework:
test: ~
session:
storage_id: session.storage.mock_file
profiler:
collect: false
I have add this to my dev config but could not reproduce the symptoms. I can only reproduce by making symfony think it really is in test.
To be honest, I don't even know where to begin to debug this.
Any ideas what might be causing this behaviour?
Any ideas how I could debug this so I can get to an answer?
In order to have a token you should be inside on of the symfony firewalls.
If any of the firewalls aren't matched by the URI, symfony security is not triggered and you will not have a token.
If it is a public area allow anonymous users from root '/*' and use ACL for the rest of the URI (or actions). Anonymous users will have the role IS_AUTHENTICATED_ANONYMOUSLY
# app/config/security.yml
security:
firewalls:
main:
pattern: ^/
anonymous: ~
Documentation:
http://symfony.com/doc/current/security.html
After a few hours I got a working LDAP-Login, based on the 'new' symfony2 ldap component from November 11, 2015 (see here). Also I followed the docs about the log out.
But everytime I request on that logout function, nothing seems to happen. The user is still logged in.
This is my code:
app/config/security.yml
security:
firewalls:
main:
pattern: ^/
stateless: true
http_basic_ldap:
service: service.key
dn_string: "{username}#example.tld"
logout:
path: /logout
Bundle/Resources/config/routing.yml
vendor_bundlename_logout:
path: /logout
Depending on this answere my question is:
Do I have to manage the logout by myself with incorret login credentials? Or did I missconfigured the logout aspect in the security.yml?
I'm trying to make a "remember me" check button to fix the user session for more time than the lifetime specified in the config. I'm using the symfony2 session lifetime withe the help of the NativeSessionStorage class.
$nativeSession = new NativeSessionStorage(
array(
'cookie_lifetime' => 3600*24*7
)
);
When i try to start the session that i've created, symfony throw this exception.
if($_SESSION){
session_destroy();
$nativeSession->start();
}
Anyone has the right process the declare this kind of sessions.
If you want to build a remember me functionality in Symfony2, you can define a longer lifetime for this function in the symfony2 config. See the documentation for additional information. Example also taken from there.
# app/config/security.yml
security:
# ...
firewalls:
main:
# ...
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
# by default, the feature is enabled by checking a
# checkbox in the login form (see below), uncomment the
# following line to always enable it.
#always_remember_me: true
First of all, I've been looking around for informations about this but it was all about Symfony 1.x or even more confusing...
Environment
Symfony 2.3
FOSUserBundle + Custom User entity
Problem
In the web site I'm developing I would like user session to end (= have to log in again) either when they close their browser or after 2 hours.
In the Symfony2 documentation they say that the default timeout is set with the parameter "framework.session.cookie_lifetime" of the config.yml, and that its default value is 0 which means that the session expires when the user closes his browser.
Those options are still on default in my configuration file, but when I a open a session and then close the browser, if I reopen it and go to the website I'm still logged in... So that's where I started getting confused... I tried to force the cookie_lifetime value to 0, but it's the same.
The config.yml with the cookie_lifetime option setted :
framework:
translator: {fallback: %locale%}
secret: %secret%
default_locale: "%locale%"
trusted_proxies: ~
session:
cookie_lifetime: 0
fragments: ~
http_method_override: true
Do you have any idea why this behavior ?
Usually browsers don't end a session if you keep the tab open — even if you restart the browser.