FOSUserBundle no login possible after upgrade from symfony 2.4 to 2.6

lately I've been upgrading on of my sites from symfony 2.4 to 2.6. I followed all the upgrade note I found and nearly everthing works find. However I'm now not able to login into my site anymore. I use FOSUserBundle and my composer.json includes this line:

"friendsofsymfony/user-bundle": "2.0.*@dev",

I read all tutorial at least three times, compared all options and now I'm already pulling my hair out because I can't find a solution that works!

Everything worked fine in 2.4 so I think it may be related to the options defined in security.yml.

The problem is that I do not get any Exceptions, Warnings or anything suspicious in the apache/symfony log files. This is my security.yml:

parameters:
    security.acl.permission.map.class:
      Sonata\AdminBundle\Security\Acl\Permission\AdminPermissionMap

    sonata.admin.security.mask.builder.class:
      Sonata\AdminBundle\Security\Acl\Permission\MaskBuilder

security:
    acl:
        connection: default
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512
    access_denied_url:    ~
    always_authenticate_before_granting:  false

    role_hierarchy:
        ROLE_ADMIN:       [ROLE_USER, ROLE_SONATA_ADMIN]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
        ROLE_AUTHOR:      [ROLE_USER, SONATA]
        SONATA:
          - ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username
        fos_facebook_provider:
            id: fos_facebook.user.login
        chain_provider:
          chain:
            providers: [fos_userbundle, fos_facebook_provider]

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
          pattern:   ^/
          fos_facebook:
            app_url: "http://apps.facebook.com/XXX/"
            server_url: "http://XXX"
            login_path: /user/login
            check_path: /facebook/login_check
            default_target_path: /Account
            provider: fos_facebook_provider
          form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
            remember_me: true
            login_path:     /user/login
            default_target_path: /Account
            use_forward:    false
            check_path:     /user/login_check
            failure_path:   null
          logout:
            path: /user/logout
          anonymous: true
          provider: main
          context: main_auth
          remember_me:
            key: XXX
            lifetime: XXX
            path: /
            domain: ~

    access_control:
      - { path: ^/user/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/secured, role: ROLE_USER }
      - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
#      # The WDT has to be allowed to anonymous users to avoid requiring the login with the AJAX request
      - { path: ^/wdt/, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/profiler/, role: IS_AUTHENTICATED_ANONYMOUSLY }
##      # AsseticBundle paths used when using the controller for assets
      - { path: ^/js/, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/css/, role: IS_AUTHENTICATED_ANONYMOUSLY }

#      # URL of FOSUserBundle which need to be available to anonymous users
#      - { path: ^/secured/.*, role: [ROLE_FACEBOOK] } # This is the route secured with fos_facebook
#      - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY } # for the case of a failed login
      - { path: ^/user/new$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/check-confirmation-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/confirm/, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/confirmed$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/request-reset-password$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/send-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/check-resetting-email$, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/user/reset-password/, role: IS_AUTHENTICATED_ANONYMOUSLY }
#      - { path: ^/secured/.*, role: [IS_AUTHENTICATED_FULLY] } # This is the route secured with fos_facebook
#      # Secured part of the site
      # This config requires being logged for the whole site and having the admin role for the admin part.
      # Change these rules to adapt them to your needs
      - { path: ^/admin/.*, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_AUTHOR] }
#      - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }

After I entered my credentials I get redirected to the login_check url. In this request I can see a "302" redirection going on back to my login page. But I think this is normal. After that I'll be redirected to my login page without being authenticated.

Do you seen any errors in my configuration ? If you need any more code please let me know!

---

FOS configuration in app.yml

fos_user:
    db_driver: orm
    firewall_name: main
    user_class: XXX\UserBundle\Entity\User
    group:
        group_class: XXX\UserBundle\Entity\Group
    service:
      mailer: fos_user.mailer.twig_swift
      user_manager: fos_user.user_manager.default
    registration:
      form:
        type: my_user_registration
      confirmation:
        enabled: true
        template: MyBundle:Mail:registration.email.twig

Login Form in twig

<form class="login_formular" action="{{ path("fos_user_security_check") }}" method="post">
    <input type="hidden" name="_csrf_token" value="{{ csrf_token }}"/>

    <table>
        <tr>
            <td><label for="username">{{ 'security.login.username'|trans({}, 'FOSUserBundle') }}</label></td>
            <td><input class="login_input" type="text" id="username" name="_username" value="{{ last_username }}"
                       required="required"/></td>
        </tr>
        <tr>
            <td><label for="password">{{ 'security.login.password'|trans({}, 'FOSUserBundle') }}</label></td>
            <td><input class="login_input" type="password" id="password" name="_password" required="required"/></td>
        </tr>
        <tr>
            <td><label class="login_input" for="remember_me">Eingeloggt bleiben:</label></td>
            <td><input type="checkbox" id="remember_me" name="_remember_me" value="on" style="margin-top: 5px;"/>
            </td>
        </tr>
        {% if error %}
            <tr>
                <td colspan="2" id="login_form_errors">{{ error.messageKey|trans(error.messageData, 'security') }}</td>
            </tr>
        {% endif %}
        <tr>
            <td colspan="2">
                <input type="submit" id="_submit" name="_submit"
                       value="{{ 'security.login.submit'|trans({}, 'FOSUserBundle') }}"/>
            </td>
        </tr>
    </table>

    <div class="clear"></div>

</form>

I found the problem and a solution, but I'm disappointed about the way I found it.

My problem description was missing the config.yml which caused the error.

This is the faulty part in my config:

framework:
    session:
      save_path: %kernel.root_dir%/var/sessions
      cookie_httponly: true

For some reasons I changed save_path setting and activated cookie_httponly in the past. It seems to me the combination made the framework unable to save ANY client related data.

However I couldn't find any errors in the symfony or apache logs, stating that the path under save_path is wrong and not existing. Only this message would saved me hours of searching. Finally I ended up searching my projects git history for any changes in config and source that may cause the problem.

This config is now working:

framework:
    session:
      save_path: ~
#      cookie_httponly: true

If someone knows exactly why those parameters prevent the login, I would welcome any comment!