New in Symfony 6.3: Login and Logout Improvements

May 3, 2023 · Published by Avatar of Javier Eguiluz Javier Eguiluz

Symfony 6.3 is backed by:

Shopware offers you cutting-edge, highly adaptable ecommerce solutions trusted by the world's most acclaimed brands. Create outstanding customer experiences, innovate fast, and accelerate your growth in the ever-evolving space of digital commerce. You decide how far you want to go, and we'll be by your side.
Les-Tilleuls.coop is a team of 70+ Symfony experts who can help you design, develop and fix your projects. We provide a wide range of professional services including development, consulting, coaching, training and audits. We also are highly skilled in JS, Go and DevOps. We are a worker cooperative!
As a professional software service provider, basecom implements customized solutions in the areas of e-commerce, PIM solutions and web portals. With our experience and certified expertise, we have been one of the most renowned Symfony specialists in Germany for many years.
As the creator of Symfony, SensioLabs supports companies using Symfony, with an offering encompassing consultancy, expertise, services, training, and technical assistance to ensure the success of web application development projects.

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Custom Redirection with Programmatic Login

Nicolas Sauveur

Contributed by
Nicolas Sauveur
in #48582.

In Symfony 6.2 we introduced a login() method to ease the programmatic login of users. However, this method returned void, so you couldn't customize the response after the user login.

The underlying UserAuthenticator::authenticateUser() called by login() returns a Response object which can be used to redirect the user. That's why in Symfony 6.3, the login() method now returns that Response object too:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\Response;

class RegistrationController extends AbstractController
{
    public function verifyUserEmail(Security $security): Response
    {
        // ...

        $redirectResponse = $security->login($user);

        return $redirectResponse;
    }
}

Remember Me Option for JSON Logins

Markus Baumer

Contributed by
Markus Baumer
in #48899.

JSON login is one of the built-in authentication mechanisms provided by Symfony. It's popular e.g. when building APIs to generate security tokens based on a given username (or email) and password.

Remember me is a built-in Symfony security feature that allows to store some user credentials in a signed cookie so they don't have to provide them again the next time they browse your application.

In Symfony 6.3 we're merging both features to provide Remember Me support for JSON logins. To do so, add a _remember_me key (this name is configurable) to the body of your POST request:

1
2
3
4
5
{
    "username": "dunglas@example.com",
    "password": "MyPassword",
    "_remember_me": true
}

Clear Site Data After Logout

Maximilian Beckers

Contributed by
Maximilian Beckers
in #49306.

The Clear-Site-Data HTTP header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored by a client browser for their origins.

In Symfony 6.3, we're adding support for this HTTP header via the logout configuration of your firewalls:

1
2
3
4
5
6
7
8
9
10
11
12
13
security:
    # ...
    firewalls:
        main:
            # ...
            logout:
                path: app_logout
                # the available options are 'cache', 'cookies', 'storage', 'executionContexts'
                # you can also use the '*' wildcard to clear all data
                clear_site_data:
                    - cache
                    - storage
                    - executionContexts
Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Thomas Schulz
Thomas Schulz said on May 3, 2023
I'm wondering what happens when you use Clear-Site-Data: cookies and Set-Cookie response headers at the same time :-)
Avatar of Issam KHADIRI
Issam KHADIRI Certified said on May 3, 2023
Just amazing. Thank you very much
Avatar of Christophe Coevoet
Christophe Coevoet said on May 3, 2023
@thomas the spec covers this case: the cookie you just set is also cleared by the Clear-Site-Data header as it is processed after it: https://w3c.github.io/webappsec-clear-site-data/#fetch-integration
Avatar of Alexander Schranz
Alexander Schranz Certified said on May 3, 2023
Think it is a good hint to know that the browser support of "Clear Site Data" header is very different:

https://caniuse.com/mdn-http_headers_clear-site-data_cache
https://caniuse.com/mdn-http_headers_clear-site-data_storage
https://caniuse.com/mdn-http_headers_clear-site-data_cookies
https://caniuse.com/mdn-http_headers_clear-site-data_executioncontexts
Avatar of Roman Allenstein
Roman Allenstein said on May 3, 2023
❤️ it!

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.