Skip to content

Explained the "Remember Me" firewall options #5021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 3, 2015
Merged

Explained the "Remember Me" firewall options #5021

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
91172bc
Explained the "Remember Me" firewall options
javiereguiluz Feb 19, 2015
7e45958
Added the (important) missing "key" option
javiereguiluz Feb 19, 2015
aa91c37
Fixed a wrong explanation of the "httponly" option
javiereguiluz Feb 22, 2015
63890b1
Put the default value alongside the name of the option to improve rea…
javiereguiluz Mar 25, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 47 additions & 10 deletions cookbook/security/remember_me.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,7 @@ Once a user is authenticated, their credentials are typically stored in the
session. This means that when the session ends they will be logged out and
have to provide their login details again next time they wish to access the
application. You can allow users to choose to stay logged in for longer than
the session lasts using a cookie with the ``remember_me`` firewall option.
The firewall needs to have a secret key configured, which is used to encrypt
the cookie's content. It also has several options with default values which
are shown here:
the session lasts using a cookie with the ``remember_me`` firewall option:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is somewhat important no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reporting this error. I totally forgot to add the key option to the list. I've added it in 7e45958

.. configuration-block::

Expand All @@ -22,9 +19,8 @@ are shown here:
main:
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
lifetime: 604800 # 1 week in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER

.. code-block:: xml

Expand All @@ -33,9 +29,8 @@ are shown here:
<firewall>
<remember-me
key = "%secret%"
lifetime = "31536000" <!-- 365 days in seconds -->
lifetime = "604800" <!-- 1 week in seconds -->
path = "/"
domain = "" <!-- Defaults to the current domain from $_SERVER -->
/>
</firewall>
</config>
Expand All @@ -48,14 +43,56 @@ are shown here:
'main' => array(
'remember_me' => array(
'key' => '%secret%',
'lifetime' => 31536000, // 365 days in seconds
'lifetime' => 604800, // 1 week in seconds
'path' => '/',
'domain' => '', // Defaults to the current domain from $_SERVER
),
),
),
));

The ``remember_me`` firewall defines the following configuration options:

``name``
(default value: ``REMEMBERME``) The name of the cookie used to maintain the
user logged in. If you enable the "Remember Me" feature in several firewalls
of the same application, make sure to choose a different name for the cookie
of each firewall. Otherwise, you'll face lots of security related problems.

``lifetime``
(default value: ``31536000``) The number of seconds during which the user
will remain logged in. By default users are logged in for one year.

``path``
(default value: ``/``) The path where the cookie associated with this
feature is used. By default the cookie will be applied to the entire website
but you can restrict to a specific section (e.g. ``/forum``, ``/admin``).

``domain``
(default value: ``null``) The domain where the cookie associated with this
feature is used. By default cookies use the current domain obtained from
``$_SERVER``.

``secure``
(default value: ``false``) If ``true``, the cookie associated with this
feature is sent to the user through an HTTPS secure connection.

``httponly``
(default value: ``true``) If ``true``, the cookie associated with this
feature is sent to the user exclusively through an HTTP non-secure connection.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This explanation looks wrong to me. httponly refers to the httponly flag of cookies, which are telling the browser that the cookie should be transmitted for HTTP requests but that it should not be exposed to client-side code.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right. I've just fixed the description of this option. Thanks.


``remember_me_parameter``
(default value: ``_remember_me``) The name of the form field checked to
decide if the "Remember Me" feature should be enabled or not. Keep reading
this article to know how to enable this feature conditionally.

``always_remember_me``
(default value: ``false``) If ``true``, the value of the ``remember_me_parameter``
is ignored and the "Remember Me" feature is always enabled, regardless of the
desire of the end user.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think key is missing?

Forcing the User to Opt-Out of the Remember Me Feature
------------------------------------------------------

It's a good idea to provide the user with the option to use or not use the
remember me functionality, as it will not always be appropriate. The usual
way of doing this is to add a checkbox to the login form. By giving the checkbox
Expand Down