symfony

RememberMe doesn't work correctly with basic FormLogin

Using Symfony 7.3, I have this basic security.yaml:

        form_login:
            login_path: app_login
            check_path: app_login
            enable_csrf: true
            success_handler: App\Vision\Security\EventHandler\LoginSuccessHandler
        
        logout:
            path: app_logout
            target: app_login

        remember_me:
            lifetime: 604800
            path: /
            # activated or not, same result
            #always_remember_me: true

And my custom LoginFormAuthenticator is:

class LoginFormAuthenticator extends AbstractLoginFormAuthenticator
{
use TargetPathTrait;

public function __construct(
    private readonly RouterInterface $router,
    private readonly UserRepository $userRepository
) {
}


public function authenticate(Request $request): Passport
{
    $email = $request->request->get('_username');

    return new Passport(
        new UserBadge($email, function (string $userIdentifier) {
            return $this->userRepository->findOneBy(['email' => $userIdentifier]);
        }),
        new PasswordCredentials($request->request->get('_password')),
        [new RememberMeBadge()],
    );
}

public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
    $user = $token->getUser();
    $target = $this->getTargetPath($request->getSession(), 'main');
    if (!empty($target) && $target !== '0') {
        return new RedirectResponse($target);
    }

    return new RedirectResponse($this->router->generate('app_dashboard'));
}

protected function getLoginUrl(Request $request): string
{
    return $this->router->generate('app_login');
}
}

I have in my form then a checkbox to remember, but when connected, looking at the profiler in the authenticators part, I see:

skipped "Symfony\Component\Security\Http\Authenticator\RememberMeAuthenticator"

This authenticator did not support the request.

And yes, I need to login every 30 minutes, not every week as expected. What am I missing ? How to check or test the RememberMe works correctly ? The cookie Remember is well set on my navigator, but still not working.

Solution

  • Ok, I had in my security.yaml:

    access_control:
    - { path: ^/login, roles: PUBLIC_ACCESS }
    - { path: ^/, roles: IS_AUTHENTICATED_FULLY }

    And according to the doc:

    IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.

    I change by:

    - { path: ^/, roles: IS_AUTHENTICATED }

    And it works.