Skip to content

Explained the "Remember Me" firewall options #5021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 3, 2015
Merged

Explained the "Remember Me" firewall options #5021

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
91172bc
Explained the "Remember Me" firewall options
javiereguiluz Feb 19, 2015
7e45958
Added the (important) missing "key" option
javiereguiluz Feb 19, 2015
aa91c37
Fixed a wrong explanation of the "httponly" option
javiereguiluz Feb 22, 2015
63890b1
Put the default value alongside the name of the option to improve rea…
javiereguiluz Mar 25, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 51 additions & 10 deletions cookbook/security/remember_me.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,7 @@ Once a user is authenticated, their credentials are typically stored in the
session. This means that when the session ends they will be logged out and
have to provide their login details again next time they wish to access the
application. You can allow users to choose to stay logged in for longer than
the session lasts using a cookie with the ``remember_me`` firewall option.
The firewall needs to have a secret key configured, which is used to encrypt
the cookie's content. It also has several options with default values which
are shown here:
the session lasts using a cookie with the ``remember_me`` firewall option:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is somewhat important no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reporting this error. I totally forgot to add the key option to the list. I've added it in 7e45958

.. configuration-block::

Expand All @@ -22,9 +19,8 @@ are shown here:
main:
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
lifetime: 604800 # 1 week in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER

.. code-block:: xml

Expand All @@ -33,9 +29,8 @@ are shown here:
<firewall>
<remember-me
key = "%secret%"
lifetime = "31536000" <!-- 365 days in seconds -->
lifetime = "604800" <!-- 1 week in seconds -->
path = "/"
domain = "" <!-- Defaults to the current domain from $_SERVER -->
/>
</firewall>
</config>
Expand All @@ -48,14 +43,60 @@ are shown here:
'main' => array(
'remember_me' => array(
'key' => '%secret%',
'lifetime' => 31536000, // 365 days in seconds
'lifetime' => 604800, // 1 week in seconds
'path' => '/',
'domain' => '', // Defaults to the current domain from $_SERVER
),
),
),
));

The ``remember_me`` firewall defines the following configuration options:

``key`` (default value: ``null``)
The value used to encrypt the cookie's content. It's common to use the
``secret`` value defined in the ``app/config/parameters.yml`` file.

``name`` (default value: ``REMEMBERME``)
The name of the cookie used to maintain the user logged in. If you enable the
"Remember Me" feature in several firewalls of the same application, make sure
to choose a different name for the cookie of each firewall. Otherwise, you'll
face lots of security related problems.

``lifetime`` (default value: ``31536000``)
The number of seconds during which the user will remain logged in. By default
users are logged in for one year.

``path`` (default value: ``/``)
The path where the cookie associated with this feature is used. By default
the cookie will be applied to the entire website but you can restrict to a
specific section (e.g. ``/forum``, ``/admin``).

``domain`` (default value: ``null``)
The domain where the cookie associated with this feature is used. By default
cookies use the current domain obtained from ``$_SERVER``.

``secure`` (default value: ``false``)
If ``true``, the cookie associated with this feature is sent to the user
through an HTTPS secure connection.

``httponly`` (default value: ``true``)
If ``true``, the cookie associated with this feature is accessible only
through the HTTP protocol. This means that the cookie won't be accessible
by scripting languages, such as JavaScript.

``remember_me_parameter`` (default value: ``_remember_me``)
The name of the form field checked to decide if the "Remember Me" feature
should be enabled or not. Keep reading this article to know how to enable
this feature conditionally.

``always_remember_me`` (default value: ``false``)
If ``true``, the value of the ``remember_me_parameter`` is ignored and the
"Remember Me" feature is always enabled, regardless of the desire of the
end user.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think key is missing?

Forcing the User to Opt-Out of the Remember Me Feature
------------------------------------------------------

It's a good idea to provide the user with the option to use or not use the
remember me functionality, as it will not always be appropriate. The usual
way of doing this is to add a checkbox to the login form. By giving the checkbox
Expand Down