Remember Me functionality not working in Symfony2

Question

I have implemented remember me functionality in Symfony2. When I log in with remember me box checked, cookie named "REMEMBERME" gets created. That cookie is also available if I close browser and open it after many hours. But when I load home page of my application, the cookie gets automatically deleted and I see no user logged in. Can anyone explain me the reason for cookie deletion?

remember_me:
          key:      qwerty
          lifetime: 604800
          path:     /
          domain:   ~ 

This is my security.yml file section

EDIT: I have still not found the solution to this question...

EDIT2: Now got new problem. The REMEMBERME cookie does not get set at all. How to solve this??

SOLVED: see answer below

Answer 1

Although this question has already been answered, I would like to contribute a possible solution, if only for posterity and Google search referrals for this problem :)

"The issue is simple: a remembered used does not have the IS_AUTHENTICATED_FULLY role but only IS_AUTHENTICATED_REMEMBERED to make a difference between a remembered user and a user who logged in"

Source: http://www.mail-archive.com/[email protected]/msg34021.html

What this means is that in your security configuration, you must make sure that for every ACL entry the IS_AUTHENTICATED_REMEMBERED role is configured in addition to the IS_AUTHENTICATED_FULLY role.

For example:

#app/config/security.yml
security:
    ...
    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: [IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED] }

Answer 2

John.

I've the same issue as you do (or did), what I've found is that when I am (Symfony2 actually =) ) setting REMEMBERME cookie on line 101 at /vendor/symfony/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeService.php file $user->getPassword() returns NULL, so cookie gets hash calculated with NULL password value.

What happening next, is when you returning to your site being fully confident that you will be automatically authenticated, Symfony begins to check your cookie at the same file as above but on line 58 it founds that cookie hash is not the same as it expects and throws an exception('The cookie\'s hash is invalid.') internally catches it and proceeds somewhere.

So that is the case why in my case cookie doesn't work.

I haven't found a solution yet, but I will dig for it and may be I'm lucky.

Hope your issue is the same and solution will help us both.

The Solution:

When implementing eraseCredentials() which claims to be used to erase user sensitive data from UserInterface do not perform $this->password = null. I've made this mistake because I haven't being understanding its purpose. You can take a glance at Symfony 2 Logout (UserInterface::eraseCredentials) for a little bit of explanation. So it serializes token object and we are in trouble.

Answer 3

I had this problem and the issue was that I did not use single quotation marks in the property key of remember_me section (security.yml).

Change this:

remember_me:
    key:      qwerty
    lifetime: 604800
    path:     /
    domain:   ~

to this:

remember_me:
    key:      'qwerty'
    lifetime: 604800
    path:     /
    domain:   ~

You can check it in the symfony documentation:
http://symfony.com/doc/2.7/cookbook/security/remember_me.html