Contributed by Nicolas Sauveur in #48582

In Symfony 6.2 we introduced a login() method to ease the programmatic login of users. However, this method returned void, so you couldn't customize the response after the user login.

The underlying UserAuthenticator::authenticateUser() called by login() returns a Response object which can be used to redirect the user. That's why in Symfony 6.3, the login() method now returns that Response object too:

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
        use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\Response;

class RegistrationController extends AbstractController
{
    public function verifyUserEmail(Security $security): Response
    {
        // ...

        $redirectResponse = $security->login($user);

        return $redirectResponse;
    }
}
    

Remember Me Option for JSON Logins

Contributed by Markus Baumer in #48899

JSON login is one of the built-in authentication mechanisms provided by Symfony. It's popular e.g. when building APIs to generate security tokens based on a given username (or email) and password.

Remember me is a built-in Symfony security feature that allows to store some user credentials in a signed cookie so they don't have to provide them again the next time they browse your application.

In Symfony 6.3 we're merging both features to provide Remember Me support for JSON logins. To do so, add a _remember_me key (this name is configurable) to the body of your POST request:

        1
2
3
4
5
        {
    "username": "dunglas@example.com",
    "password": "MyPassword",
    "_remember_me": true
}
    

Clear Site Data After Logout

Contributed by Maximilian Beckers in #49306

The Clear-Site-Data HTTP header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored by a client browser for their origins.

In Symfony 6.3, we're adding support for this HTTP header via the logout configuration of your firewalls:

        1
2
3
4
5
6
7
8
9
10
11
12
13
        security:
    # ...
    firewalls:
        main:
            # ...
            logout:
                path: app_logout
                # the available options are 'cache', 'cookies', 'storage', 'executionContexts'
                # you can also use the '*' wildcard to clear all data
                clear_site_data:
                    - cache
                    - storage
                    - executionContexts
    

Published in #Living on the edge

Thomas Schulz said on May 3, 2023 at 10:12

I'm wondering what happens when you use Clear-Site-Data: cookies and Set-Cookie response headers at the same time :-)

Issam KHADIRI Certified said on May 3, 2023 at 11:10

Just amazing. Thank you very much

Christophe Coevoet said on May 3, 2023 at 11:15

@thomas the spec covers this case: the cookie you just set is also cleared by the Clear-Site-Data header as it is processed after it: https://w3c.github.io/webappsec-clear-site-data/#fetch-integration

Alexander Schranz Certified said on May 3, 2023 at 11:57

Think it is a good hint to know that the browser support of "Clear Site Data" header is very different:

https://caniuse.com/mdn-http_headers_clear-site-data_cache https://caniuse.com/mdn-http_headers_clear-site-data_storage https://caniuse.com/mdn-http_headers_clear-site-data_cookies https://caniuse.com/mdn-http_headers_clear-site-data_executioncontexts

Roman Allenstein said on May 3, 2023 at 21:17

❤️ it!

Remember Me Option for JSON Logins

Clear Site Data After Logout

Comments

Become a Symfony contributor

New in Symfony 6.3: Login and Logout Improvements

Custom Redirection with Programmatic Login

Remember Me Option for JSON Logins

Clear Site Data After Logout

Comments