My session for Symfony is being placed into the database as intended, however the issue is that the session lifetime is only 24 minutes. I'm attempting to increase this but it doesn't seem to be working.
My framework.yaml file:
session:
enabled: true
handler_id: Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler
cookie_secure: 'auto'
cookie_samesite: 'lax'
cookie_lifetime: 604800
My services.yaml file:
services:
Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler:
arguments:
- '%env(DATABASE_URL)%'
My security.yaml file:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
login_throttling:
limiter: app.custom.limiter
lazy: true
provider: app_user_provider
# https://symfony.com/doc/current/security/impersonating_user.html
switch_user: true
guard:
authenticators:
- App\Security\LoginFormAuthenticator
logout:
path: logout
# where to redirect after logout
# target: app_any_route
remember_me:
secret: ‘%kernel.secret%’
lifetime: 604800 # 1 week in seconds
What am I doing wrong here?
The default gc_maxlifetime in PHP is 1440 which explains the 24 minutes.
So update your session.gc_maxlifetime value.
Related
I don't know if what I'm trying to do is possible but I have the following configuration in my security.yaml and it shows me the following error:
Because you have multiple authenticators in firewall "administrator_secured_area", you need to set the "entry_point" key to one of your authenticators ("App\Security\AdministratorAuthenticator", "form_login") or a service ID implementing "Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface". The "entry_point" determines what should happen (e.g. redirect to "/login") when an anonymous user tries to access a protected page.
I have searched various solutions but none suits my current setup
security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
App\Entity\Administrator:
algorithm: auto
App\Entity\Instructor:
algorithm: auto
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
# used to reload user from session & other features (e.g. switch_user)
app_administrator_provider:
entity:
class: App\Entity\Administrator
property: email
app_instructor_provider:
entity:
class: App\Entity\Instructor
property: email
# used to reload user from session & other features (e.g. switch_user)
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
administrator_secured_area:
lazy: true
provider: app_administrator_provider
custom_authenticator: App\Security\AdministratorAuthenticator
form_login:
login_path: /login/administrator
check_path: /app_login_administrator
default_target_path: /login/administrator
logout:
path: app_logout
# where to redirect after logout
target: app_login_administrator
instructor_secured_area:
lazy: true
provider: app_instructor_provider
custom_authenticator: App\Security\InstructorAuthenticator
form_login:
login_path: /login/instructor
check_path: /app_login_instructor
default_target_path: /login/instructor
logout:
path: app_logout
# where to redirect after logout
target: app_login_instructor
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
# - { path: ^/profile, roles: ROLE_USER }
when#test:
security:
password_hashers:
# By default, password hashers are resource intensive and take time. This is
# important to generate secure password hashes. In tests however, secure hashes
# are not important, waste resources and increase test times. The following
# reduces the work factor to the lowest possible values.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon
As the error message suggests you should set the entry_point key to one of your authenticators, here is an example, you could choose to set in one of them, or you could try to set it in both:
administrator_secured_area:
lazy: true
provider: app_administrator_provider
custom_authenticator: App\Security\AdministratorAuthenticator
form_login:
login_path: /login/administrator
check_path: /app_login_administrator
default_target_path: /login/administrator
logout:
path: app_logout
# where to redirect after logout
target: app_login_administrator
entry_point: 'form_login'
instructor_secured_area:
lazy: true
provider: app_instructor_provider
custom_authenticator: App\Security\InstructorAuthenticator
form_login:
login_path: /login/instructor
check_path: /app_login_instructor
default_target_path: /login/instructor
logout:
path: app_logout
# where to redirect after logout
target: app_login_instructor
My symfony application (3.4.8) seems to ignore any attempts to prolong the session. What would be the best course of action to troubleshoot this issue? The documentation is very vague.
app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
providers:
fos_userbundle:
id: fos_user.user_provider.username
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
default_target_path: /
logout: true
anonymous: true
remember_me:
secret: '%secret%'
lifetime: 28000
path: /
access_denied_handler: app.security.access_denied_handler
config.yml
framework:
lock: 'semaphore'
#esi: ~
#translator: { fallbacks: ["%locale%"] }
secret: "%secret%"
router:
resource: "%kernel.root_dir%/config/routing.yml"
strict_requirements: ~
form: ~
csrf_protection: ~
validation: { enable_annotations: true }
#serializer: { enable_annotations: true }
templating:
engines: ['twig']
default_locale: "%locale%"
trusted_hosts: ~
trusted_proxies: ~
session:
handler_id: session.handler.native_file
save_path: "/tmp"
cookie_lifetime: 28800
fragments: ~
http_method_override: true
assets: ~
Maybe if you try this in your config:
session:
cookie_lifetime: 18000
gc_maxlifetime: 18000
Hope it helps !
Judging by this:
handler_id: session.handler.native_file
you're using a native session handler. From Symfony documentation:
So-called native handlers, are save handlers which are either compiled into PHP or provided by PHP extensions, such as PHP-Sqlite, PHP-Memcached and so on.
All native save handlers are internal to PHP and as such, have no public facing API. They must be configured by php.ini directives, usually session.save_path and potentially other driver specific directives.
Inspecting the NativeFileSessionHandler I've found no methods relating to session duration. That leads me to the conclusion that you have to set the duration on the PHP level, not on the Symfony level.
So, try setting the session.gc-maxlifetime (in your php.ini or calling ini_set) to 3600.
your setting will log out if you are inactive for more than 30 minutes.
You can add following in your yml file
#app/config/config.yml
session:
cookie_lifetime: 86400
gc_maxlifetime: 1800
gc_probability: 1
gc_divisor: 1
With Symfony 3.3.16, my users are disconnected in 5/6 minutes. I don't understand.
This problem is only in production (OVH), not in dev.
session.gc_maxlifetime : 1440
security.yml :
security:
encoders:
AppBundle\Entity\User: bcrypt
providers:
database_users:
entity:
class: AppBundle\Entity\User
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: true
simple_form:
username_parameter: _email
authenticator: AppBundle\Security\Authenticator
check_path: login
login_path: login
success_handler: AppBundle\Handler\AuthenticationSuccessHandler
logout:
path: logout
handlers: [AppBundle\Handler\LogoutHandler]
success_handler: AppBundle\Handler\LogoutSuccessHandler
access_control:
- { path: '^/administration', roles: ROLE_ADMIN }
- { path: '^/user', roles: ROLE_USER }
Can you help me ?
In the symfony configuration reference, you can configure the session lifetime setting:
cookie_lifetime
This determines the lifetime of the session - in seconds. The default
value - null - means that the session.cookie_lifetime value from
php.ini will be used. Setting this value to 0 means the cookie is
valid for the length of the browser session.
gc_maxlifetime
This determines the number of seconds after which data will be seen as "garbage" and potentially cleaned up. Garbage collection may occur during session start and depends on gc_divisor and gc_probability.
Check their value in the config.yml and config_prod.yml
I understand you have already checked the the value of the php.ini value session.gc_maxlifetime
Hi!
I am becoming mad with the following error, found into the prod log, with Facebook Login, by HWIOAuthBundle. I have never encountered this bug on our localhosts. It occurred (and continues to occur) several times on prod, sporadically. I tried to set verify_peer to false inside config.yml, put off ipv6 on the nginx server, etc. Nothing had solved this problem.
Here is the exact error :
[2017-09-05 17:48:16] request.CRITICAL: Uncaught PHP Exception
HWI\Bundle\OAuthBundle\OAuth\Exception\HttpTransportException:
"Error while sending HTTP request" at
/home/keywinf/htdocs/www/vendor/hwi/oauth-bundle/OAuth/ResourceOwner/AbstractResourceOwner.php line 255
{"exception":"[object] (HWI\\Bundle\\OAuthBundle\\OAuth\\Exception\\HttpTransportException(code: 28):
Error while sending HTTP request at /home/keywinf/htdocs/www/vendor/hwi/oauth-bundle/OAuth/ResourceOwner/AbstractResourceOwner.php:255, Buzz\\Exception\\RequestException(code: 28):
Connection timed out after 60000 milliseconds at /home/keywinf/htdocs/www/vendor/kriswallsmith/buzz/lib/Buzz/Client/Curl.php:29)"} []
config.yml
hwi_oauth:
firewall_names: [main]
use_referer: true
fosub:
username_iterations: 30
properties:
facebook: facebookId
resource_owners:
facebook:
type: facebook
client_id: "%facebook_id%"
client_secret: "%facebook_secret%"
infos_url: 'https://graph.facebook.com/me?fields=id,name,first_name,last_name,picture.type(large),email,gender,birthday,location,age_range'
scope: "email,user_friends"
http_client:
timeout: 60
security.yml
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/api/[a-z0-9](-[a-z0-9])+/
stateless: true
simple_preauth:
authenticator: api_key_authenticator
provider: api
main:
pattern: ^/
anonymous: true
provider: main
switch_user: true
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
success_handler: acme.security.authentication_handler
failure_handler: acme.security.authentication_handler
always_use_default_target_path: false
default_target_path: /
oauth:
resource_owners:
facebook: /login/check-facebook
login_path: /login
failure_path: /login
success_handler: acme.security.authentication_handler
always_use_default_target_path: false
default_target_path: /
oauth_user_provider:
service: dm.user_provider
logout:
path: fos_user_security_logout
target: /
remember_me:
secret: %secret%
If one knows what could be causing it.. Thank you very much
Ok, I got it, for anyone who have been encountering the same storm.
Be careful with ipv6 stuff on your server. PHP curl was trying to do its job through it, but the server was not ipv6-ready, and it eventually found it more cool to step back to ipv4 (but after a long time). My solution was to activate ipv6 completely (DNS, conf, etc.). You've plenty of useful (and short) examples for it on the web.
Have fun!
I tried to update my vendor bundles in symfony2 using php composer.phar update, but when I did so I received an error after this line:
Updating the "app/config/parameters.yml" file
The error I get is:
[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException]
The child node "key" at path "security.firewalls.main.remember_me" must be configured.
Script Sensio\Bundle\DistributionBundle\Composer\ScriptHandler::clearCache handling the post-update-cmd event terminated with an exception
[RuntimeException]
An error occurred when executing the "'cache:clear --no-warmup'" command.
My security.yml file has the following in its firewall section:
firewalls:
main:
pattern: ^/
provider: fos_userbundle
form_login:
csrf_provider: form.csrf_provider
always_use_default_target_path: false
default_target_path: webplio_site_dashboard_index
#success_handler: webplio_site.login_success_handler
check_path: /login_check
login_path: /login
logout: true
remember_me: true
anonymous: true
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
where secret is defined in my parameters.yml file
My question then is what else do I need to do in order to configure the child node "key" at path "security.firewalls.main.remember_me"?
You need to change from
remember_me:
key: "%secret%"
to
remember_me:
secret: "%secret%"
Move your remember_me: true to
form_login:
...
remember_me: true
Check the security-reference as to see why.
Change key to secret and it works