symfony Delete remember me cookie when logging out

8.5k views Asked by At

There is a delete_cookies in the security configuration file: http://symfony.com/doc/current/reference/configuration/security.html

I have remember_me enabled. Everything works fine except when an user goes to the 'logout' link (directly from the url bar), I want symfony to delete the REMEMBERME cookie. How can I achieve that? Am I missing something?

When I go to url /app/logout, I can see the chrome dev tools that I still have the REMEMBERME cookie.

This is my security.yml file:

firewalls:     
    app_secured:
        anonymous: ~
        switch_user: true
        pattern: ^(/$|/login$|/app/)
        form_login:
            login_path: login
            check_path: login_check
            csrf_provider: form.csrf_provider
            default_target_path: index
            always_use_default_target_path: true
        remember_me:
            key: "%secret%"
            lifetime: 2592000
            path: ~
            domain: ~
        logout:
            invalidate_session: true
            delete_cookies:
                REMEMBERME: { path: null, domain: null}
            path: logout
            target: login
access_control:
    - { path: ^/app/_sys/, roles: ROLE_NO_ACCESS }
    - { path: ^/app/, roles: ROLE_USER }
    - { path: ^/app/admin/, roles: ROLE_ADMIN }

Routing.yml

login:
    path:      /
    defaults:  { _controller: AppWebBundle:Login:login }
login_check:
    path: /login_check
logout:
    path: /app/logout

LoginController.php

/**
 * Login controller.
 * @Route("/")
 */
class LoginController extends Controller
{
    /**
     * Login page
     * @Route("/login", name="login2")
     */
    public function loginAction(Request $request){
        /** Reduced for simplicity, same code as: 
            http://symfony.com/doc/current/book/security.html#using-a-traditional-login-form **/
        return $this->render('AppWebBundle:Default:login.html.twig', ['last_username' => $lastUsername,'error'=> $error,]);
    }
}
3

There are 3 answers

4
Jonwd On BEST ANSWER

I found out that it doesn't work if you put directly the logout url into the url bar. The user has to click logout in order to work.

Creating a link <a href="{{url('logout')}}">Logout</a> and clicking it worked.

1
neox On
$response = new Response();
$response->headers->clearCookie('REMEMBERME');
$response->send();

You could delete the cookie with this in a controller

0
lenybernard On

Removing in server side the REMEMBERME token after logout should be automatic but it's not. To do so, you'll have to change the way you store your token.

Since Symfony 2.8, the easy way is to use Doctrine to store tokens in database:

# config/packages/security.yaml
security:
    # ...

    firewalls:
        main:
            # ...
            remember_me:
                secret: '%kernel.secret%'
                # ...
                token_provider:
                    doctrine: true

Doing this will not only store token in database, it will invalidate it on logout event.

You can learn more in the documentation : https://symfony.com/doc/6.1/security/remember_me.html