I'm running a Symfony 2.6 application that uses the FOSUserBundle. When users log in they are always 'remembered' because I've configured these settings in my security.yml:
http://symfony.com/doc/current/cookbook/security/remember_me.html
Security.yml:
remember_me:
key: "%secret%"
lifetime: 604800 # One week
path: /
domain: ~
always_remember_me: true
secure: true
This creates a REMEMBERME cookie when the user logs in; that's all working fine. However, when I store the cookies (For e.g. by using EditThisCookie in Google Chrome), I can still re-use these cookies after the user has logged out.
My scenerio:
- User logs in
- Copy REMEMBERME cookie
- User logs out
- Paste REMEMBERME cookie and refresh the page
- The user is logged in again (which I do not want!)
How can I prevent these cookies from being used again after the user has logged out?
The REMEMBERME cookie is not used to restore an existing session, but to login again the user. So of course you can login again with the cookie after you've been logged out, else what would be the purpose of REMEMBERME? In other words, that's expected behaviour.
Anyway you can add a "Logout" event listener that deletes the cookie.
http://api.symfony.com/2.5/Symfony/Component/Security/Http/Firewall/LogoutListener.html
I can't reccomend a specific tutorial about that but you can find tons of informations on the net. If you don't find enough, add a new specific question on how to implement a logout handler.
Related
I have a route with a response in json to make accessible for logged in users but also anonymous users but in this case with a response with a status code 401.
I tried to add a firewall;
route_name:
pattern: ^/path
anonymous: true
but with this configuration, i get always an anonymous user (in profiler), even if user is logged in.
I tried also adding configuration in access_control instead;
access_control:
- { path: ^/path, role: IS_AUTHENTICATED_ANONYMOUSLY }
but i keep getting the login form instead.
Any idea how to handle this case? Thanks
When i logout, PHPSESSID cookie value is changed, but cookie itself is not removed. Also debug toolbar shows "Has session - yes" after logout.
If i remove cookie manually and refresh page, it is not created and debug toolbar shows "Has session - no".
How to make logout action to not start new session?
It's possible to add list of cookies you want to delete on logout. Not sure if it is best solution, but session does not exist after logout.
Example security configuration:
security:
firewalls:
main:
anonymous: ~
logout:
path: /logout
target: /
delete_cookies: ['PHPSESSID']
I'm using FOS/Userbundle for login process of my application.
This application is the back-end part of my work. The front end one can be on another server.
Login works correctly when user is authenticated. My problem is when user is not recognized. In this case, Symfony redirects response to an url of my back-end when I want it to go back to my front-end url. I have not found neither in Symfony doc nor various forums elements for progress on this issue.
Thank you for your help.
Caplande
Normally you can configure, in security.yml , the firewall which is used by fosUserBundle, and tell it to redirect in case of success but also in case of error.
The idea is, in case of error to redirect the user to an action on your app which is not under your fosuserbundle firewall rules.
This action should finally redirect the non authenticated user to your frontend url.
here is an example :
in your security.yml,
security:
firewalls:
main:
form_login:
failure_path: YOUR_REDIRECTING_PATH
failure_forward: true
you needto finish, to make a route readable anonimously in you app to redirect to your frontend app.
for more information : https://symfony2-document.readthedocs.org/en/latest/cookbook/security/form_login.html
Hope this helps
I know we can set the failure path for form_login;
form_login:
provider: fos_userbundle
failure_path: /register
default_target_path: /home
how can i set the same structure for profile edit and password change. (profile/edit)
AFAIK, No its not possible.
form_login is handled by symfony2 not by fos_userbundle
By specifying form_login, you have told the Symfony2 framework that
any time a request is made to this firewall that leads to the user
needing to authenticate himself, the user will be redirected to a form
where he will be able to enter his credentials. It should come as no
surprise then that you have specified the user provider service we
declared earlier as the provider for the firewall to use as part of
the authentication process.
Since symfony2 take care of security context token population, if has given way to others to set failure path.
But for your case, its completely in your control, then why you need
that setting?
I suggest you to read more about security
I'm logged with an user and then if I login with the same user on another browser/device I want to disconnect the first user and allow access to this new user.
How to get this?
I'm solved half.
I created this functionality following this link:
https://groups.google.com/d/msg/symfony2/pvBSmKl0g7I/yxYfgxH4IvwJ
It works but when option remember_me in security.yml and accessing checking this option doesn't works.
//security.yml
remember_me:
key: "%secret%"
lifetime: 3600
path: ^/
domain: ~
The user is still logged. What's the problem? Cookies?