I have A site and B site. Both on HTTPS, both on different domains.
A site runs Symfony where I prepared a login page which I include via iframe on page B.
The logging process works correctly on any major browser except of Chrome with enabled flag #same-site-by-default-cookies (chrome://flags/#same-site-by-default-cookies). If I disable this flag on Chrome it works correctly as well.
Does anyone know what can I do to fix it? I probably need to set SameSite flag inside the Cookie to "None", but I have no idea which cookie it concerns and where to change it.
I am using:
Symfony 4.4.2
friendsofsymfony/user-bundle 2.1.2
PHP 7.2
My confings:
framework.yaml
framework:
secret: '%env(APP_SECRET)%'
translator: { fallbacks: [pl] }
form: { enabled: true }
validation: { enable_annotations: true }
default_locale: '%locale%'
csrf_protection: true
# Enables session support. Note that the session will ONLY be started if you read or write from it.
# Remove or comment this section to explicitly disable session support.
session:
handler_id: Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler
#esi: true
fragments: ~
http_method_override: true
php_errors:
log: true
security.yaml
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
switch_user: true
pattern: ^/
context: user
remember_me:
#key: "%secret%"
secret: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
token_provider: Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider
form_login:
provider: fos_userbundle
# csrf_token_generator: security.csrf.token_manager
# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider
always_use_default_target_path: true
default_target_path: /after-login
success_handler: authentication_handler
failure_handler: authentication_handler
oauth:
resource_owners:
facebook: "/loginSocial/check-facebook"
google: "/loginSocial/check-google"
login_path: /loginSocial
use_forward: false
failure_path: /loginSocial
oauth_user_provider:
service: fm_user_provider
always_use_default_target_path: true
default_target_path: /after-login
logout:
target: fmUserAfterLogout
success_handler: logout_handler
anonymous: true
framework.yaml
add option "cookie_samesite"
session:
cookie_samesite: none
Symfony Doc
Related
I am using FOSUSerBundle with two different Entities for different Users like
DefaultUser and AdminUser
Therefore I have the following in security.yaml
providers:
user:
entity:
class: AppBundle:User
property: 'email'
admin:
entity:
class: AppBundle:Admin
property: 'email'
and firewall is set like this:
admin:
pattern: ^/admin
anonymous: ~
provider: admin
form_login:
login_path: /admin/login
csrf_token_generator: security.csrf.token_manager
default_target_path: /admin
check_path: admin_login_check
logout_on_user_change: true
logout:
path: /admin/logout
target: /admin
invalidate_session: false
access_denied_handler: AppBundle\Security\AccessDeniedHandler
context: application
main:
pattern: ^/
provider: user
logout_on_user_change: true
form_login:
# csrf_token_generatlor: security.csrf.token_manager
login_path: /login
default_target_path: /user
check_path: fos_user_security_check
logout:
path: user_logout
target: user_login
invalidate_session: false
context: application
anonymous: ~
access_denied_handler: AppBundle\Security\AccessDeniedHandler
How to get FOSUserBundle work, so I can use username or Email ?
Normally it is set by
id: fos_user.user_provider.username_email
but this cannot used in this configuration.
It's been a long time since I worked with the fos_userbundle, but from what I see in my code, you'll need to update your security.yml file to make use of it:
security:
providers:
fos_userbundle_admin: appbundle.service.providing.admin_user
And in that service (which extends FOS\UserBundle\Security\UserProvider), you'll want to override the findUser($username) method. There, you can use the provided username.
I suppose (untested) you can create another provider (fos_userbundle_user) and use that one for users in your firewall.
Hopefully this makes sense.. It's working here, but that was in a symfony 2.8 app. FOS_UserBundle has changed a fair bit since then.
I'm trying to manage a frontend and backend with different user's rol. Inside security.yml added this
security:
providers:
admin:
entity:
class: LoginBundle:Usuarios
property: mail
external:
entity:
class: LoginBundle:UsuariosExternos
property: mail
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
provider: admin
form_login:
login_path: /
logout:
path: logout
target: /
access_denied_url: /eu/
external:
anonymous: true
provider: external
form_login:
login_path: /
logout:
path: logoutExternalUser
target: /
With this codete firewall external is not working and when I log as a external (frontend) the logout path is /logout and not logoutExternalUser.
Also with this config if I write the path /admin it goes to / and not to /admin/login
We try to user a AccessDeniedHandlerInterface but we don't know how to get the user rol in that instance.
Any help?
You are missing patterns. That's why the firwalls are not fireing UP.
You should set pattern for which it listens.
Check, I updated code.
security:
providers:
admin:
entity:
class: LoginBundle:Usuarios # idk if you realized this correctly
property: mail
external:
entity:
class: LoginBundle:UsuariosExternos
property: mail
firewalls:
admin:
pattern: ^/admin # pattern in which this will activate
anonymous: true
provider: admin
form_login:
login_path: adminLogin # implement route
logout:
path: security_logout # should work and destroy session
target: /
access_denied_url: /eu/
external:
pattern: ^/external
anonymous: true
provider: external
form_login:
login_path: loginExternal # implement route
logout:
path: security_logout
target: /
I recommend you to check https://symfony.com/doc/3.4/security/guard_authentication.html
It's nice way to build any kind of auth you need, if default security doesn't work for you.
Using Symfony 3, I have set up multiple firewalls. The issue I am having is taht only one firewall is working. When I set up new firewalls, it always redirects to the main page.
Below is my security.yml file code
# To get started with security, check out the documentation:
# https://symfony.com/doc/current/security.html
security:
encoders:
AppBundle\Entity\User:
algorithm: bcrypt
cost: 12
ClientBundle\Entity\SuperAdmin:
algorithm: bcrypt
cost: 12
providers:
user:
entity:
class: AppBundle:User
property: email
simplesaml:
id: my_user_provider
client:
entity:
class: ClientBundle:SuperAdmin
property: email
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
client_login:
pattern: ^/client/login$
security: false
user_login:
pattern: ^/user/login$
security: false
user_secured_area:
pattern: ^/user
anonymous: ~
provider: user
form_login:
login_path: /user/login
check_path: /user/login
use_referer: true
success_handler: app_user_security.login_success_handler
require_previous_session: false
remember_me:
secret: '%secret%'
lifetime: 604800
path: /user/login
always_remember_me: true
logout:
path: /user/logout
target: /user/login
client_secured_area:
pattern: ^/client
anonymous: ~
provider: client
form_login:
login_path: /client/login
check_path: /client/login
default_target_path: /client/logindss
remember_me:
secret: '%secret%'
lifetime: 604800
path: /client/
always_remember_me: true
logout:
path: /client/logout
target: /client/login
saml:
pattern: ^/saml
anonymous: true
stateless: true
simple_preauth:
authenticator: simplesamlphp.authenticator
provider: simplesaml
logout:
path: /logout
success_handler: simplesamlphp.logout_handler
access_control:
- { path: ^/client/, roles : IS_AUTHENTICATED_ANONYMOUSLY}
I have created new bundle for client login and other appbundle is for normal users login I want to make 2 seperate login access with different pages.
please help
According to the official documentation, do you try to use _target_path on your login form ?
<form action="{{ path('login') }}" method="post">
{# ... #}
<input type="hidden" name="_target_path" value="{{ path('account') }}" />
<input type="submit" name="login" />
</form>
So, I have this security:
providers:
fos_userbundle:
id: hwi_oauth.user.provider.fosub_bridge
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: true
logout: true
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
battlenet: "/login/check-battle-net"
login_path: /login
use_forward: false
failure_path: /login
oauth_user_provider:
service: hwi_oauth.user.provider.fosub_bridge
logout:
path: /logout
target: /
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
and Im using HWIOauth bundle. Now I want to implement classic loggin from fos user bundle near this. Is there some simple way? ;)
ok, it was simple... just from console:
app/console fos:user:create
then make a route, form and view etc. for FOSUserBundle\SecurityController::loginAction and..
thats it ;) its working very well, without any change to security.yml
My application need 2 firewalls, one for Admin and the other for User. In my security.yml I config:
admin:
pattern: ^/admin
provider: fos_userbundle
form_login:
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
default_target_path: /admin/dashboard
always_use_default_target_path: true
logout:
path: /admin/logout
target: /admin
anonymous: ~
# defaut login area for standard users
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
anonymous: ~
I don't know whether this config is correct. Everything's OK when I login from main area, but when I login from admin, it's redirect me to the home path instead of default_target_path. I try to change provider to a custom provider (eg in_memory) to re-check the admin firewall, but I still login by user from fos_userbundle provider. Can you help me?
i think it's because there is a main pattern
main:
pattern: ^/
it control even the ^/admin
try to replace ^/ with ^/home or ^/main it will work on bothe
Try removing anonymous and using access control instead. In theory Symfony2 will automatically redirect users from admin back, even if they are using the same login screen.
The security in Symfony2 is cascading (so /admin will also appear under main)
e.g.
# defaut login area for standard users
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
admin:
pattern: ^/admin
provider: fos_userbundle
form_login:
use_forward: false
failure_path: null
target: /admin/dashboard
always_use_default_target_path: true
logout:
target: /admin
access_control:
- { path: ^/, roles: [IS_AUTHENTICATED_ANONYMOUSLY, ROLE_USER] }
- { path: ^/admin, roles: [ROLE_ADMIN] }
you'll likely need different ROLES specified.
I changed main firewall pattern to ^/(?!admin), everything's ok now. Thanks for your help!
main:
pattern: ^/(?!admin)
provider: default_provider
anonymous: ~
admin:
pattern: ^/admin
provider: admin_provider
anonymous: ~