From 91172bc50e1cc979e68d58607de6bceb31ffe0a3 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 19 Feb 2015 15:25:01 +0100 Subject: [PATCH 1/4] Explained the "Remember Me" firewall options --- cookbook/security/remember_me.rst | 57 +++++++++++++++++++++++++------ 1 file changed, 47 insertions(+), 10 deletions(-) diff --git a/cookbook/security/remember_me.rst b/cookbook/security/remember_me.rst index e9c22b5a3e7..53b44270977 100644 --- a/cookbook/security/remember_me.rst +++ b/cookbook/security/remember_me.rst @@ -8,10 +8,7 @@ Once a user is authenticated, their credentials are typically stored in the session. This means that when the session ends they will be logged out and have to provide their login details again next time they wish to access the application. You can allow users to choose to stay logged in for longer than -the session lasts using a cookie with the ``remember_me`` firewall option. -The firewall needs to have a secret key configured, which is used to encrypt -the cookie's content. It also has several options with default values which -are shown here: +the session lasts using a cookie with the ``remember_me`` firewall option: .. configuration-block:: @@ -22,9 +19,8 @@ are shown here: main: remember_me: key: "%secret%" - lifetime: 31536000 # 365 days in seconds + lifetime: 604800 # 1 week in seconds path: / - domain: ~ # Defaults to the current domain from $_SERVER .. code-block:: xml @@ -33,9 +29,8 @@ are shown here: + lifetime = "604800" path = "/" - domain = "" /> @@ -48,14 +43,56 @@ are shown here: 'main' => array( 'remember_me' => array( 'key' => '%secret%', - 'lifetime' => 31536000, // 365 days in seconds + 'lifetime' => 604800, // 1 week in seconds 'path' => '/', - 'domain' => '', // Defaults to the current domain from $_SERVER ), ), ), )); +The ``remember_me`` firewall defines the following configuration options: + +``name`` + (default value: ``REMEMBERME``) The name of the cookie used to maintain the + user logged in. If you enable the "Remember Me" feature in several firewalls + of the same application, make sure to choose a different name for the cookie + of each firewall. Otherwise, you'll face lots of security related problems. + +``lifetime`` + (default value: ``31536000``) The number of seconds during which the user + will remain logged in. By default users are logged in for one year. + +``path`` + (default value: ``/``) The path where the cookie associated with this + feature is used. By default the cookie will be applied to the entire website + but you can restrict to a specific section (e.g. ``/forum``, ``/admin``). + +``domain`` + (default value: ``null``) The domain where the cookie associated with this + feature is used. By default cookies use the current domain obtained from + ``$_SERVER``. + +``secure`` + (default value: ``false``) If ``true``, the cookie associated with this + feature is sent to the user through an HTTPS secure connection. + +``httponly`` + (default value: ``true``) If ``true``, the cookie associated with this + feature is sent to the user exclusively through an HTTP non-secure connection. + +``remember_me_parameter`` + (default value: ``_remember_me``) The name of the form field checked to + decide if the "Remember Me" feature should be enabled or not. Keep reading + this article to know how to enable this feature conditionally. + +``always_remember_me`` + (default value: ``false``) If ``true``, the value of the ``remember_me_parameter`` + is ignored and the "Remember Me" feature is always enabled, regardless of the + desire of the end user. + +Forcing the User to Opt-Out of the Remember Me Feature +------------------------------------------------------ + It's a good idea to provide the user with the option to use or not use the remember me functionality, as it will not always be appropriate. The usual way of doing this is to add a checkbox to the login form. By giving the checkbox From 7e459585395a948b50a3d28f248090def012507d Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 19 Feb 2015 17:39:21 +0100 Subject: [PATCH 2/4] Added the (important) missing "key" option --- cookbook/security/remember_me.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cookbook/security/remember_me.rst b/cookbook/security/remember_me.rst index 53b44270977..a73107cac8b 100644 --- a/cookbook/security/remember_me.rst +++ b/cookbook/security/remember_me.rst @@ -52,6 +52,11 @@ the session lasts using a cookie with the ``remember_me`` firewall option: The ``remember_me`` firewall defines the following configuration options: +``key`` + (default value: ``null``) The value used to encrypt the cookie's content. + It's common to use the ``secret`` value defined in the ``app/config/parameters.yml`` + file. + ``name`` (default value: ``REMEMBERME``) The name of the cookie used to maintain the user logged in. If you enable the "Remember Me" feature in several firewalls From aa91c376592508fdf3c17d0abee6927e20511fae Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 22 Feb 2015 16:07:10 +0100 Subject: [PATCH 3/4] Fixed a wrong explanation of the "httponly" option --- cookbook/security/remember_me.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cookbook/security/remember_me.rst b/cookbook/security/remember_me.rst index a73107cac8b..770e2ba8cd7 100644 --- a/cookbook/security/remember_me.rst +++ b/cookbook/security/remember_me.rst @@ -83,7 +83,8 @@ The ``remember_me`` firewall defines the following configuration options: ``httponly`` (default value: ``true``) If ``true``, the cookie associated with this - feature is sent to the user exclusively through an HTTP non-secure connection. + feature is accessible only through the HTTP protocol. This means that the + cookie won't be accessible by scripting languages, such as JavaScript. ``remember_me_parameter`` (default value: ``_remember_me``) The name of the form field checked to From 63890b114433fc4c988869c7d2a3434f96bacb26 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 25 Mar 2015 21:53:02 +0100 Subject: [PATCH 4/4] Put the default value alongside the name of the option to improve readability --- cookbook/security/remember_me.rst | 84 +++++++++++++++---------------- 1 file changed, 41 insertions(+), 43 deletions(-) diff --git a/cookbook/security/remember_me.rst b/cookbook/security/remember_me.rst index 770e2ba8cd7..c278996ef2f 100644 --- a/cookbook/security/remember_me.rst +++ b/cookbook/security/remember_me.rst @@ -52,49 +52,47 @@ the session lasts using a cookie with the ``remember_me`` firewall option: The ``remember_me`` firewall defines the following configuration options: -``key`` - (default value: ``null``) The value used to encrypt the cookie's content. - It's common to use the ``secret`` value defined in the ``app/config/parameters.yml`` - file. - -``name`` - (default value: ``REMEMBERME``) The name of the cookie used to maintain the - user logged in. If you enable the "Remember Me" feature in several firewalls - of the same application, make sure to choose a different name for the cookie - of each firewall. Otherwise, you'll face lots of security related problems. - -``lifetime`` - (default value: ``31536000``) The number of seconds during which the user - will remain logged in. By default users are logged in for one year. - -``path`` - (default value: ``/``) The path where the cookie associated with this - feature is used. By default the cookie will be applied to the entire website - but you can restrict to a specific section (e.g. ``/forum``, ``/admin``). - -``domain`` - (default value: ``null``) The domain where the cookie associated with this - feature is used. By default cookies use the current domain obtained from - ``$_SERVER``. - -``secure`` - (default value: ``false``) If ``true``, the cookie associated with this - feature is sent to the user through an HTTPS secure connection. - -``httponly`` - (default value: ``true``) If ``true``, the cookie associated with this - feature is accessible only through the HTTP protocol. This means that the - cookie won't be accessible by scripting languages, such as JavaScript. - -``remember_me_parameter`` - (default value: ``_remember_me``) The name of the form field checked to - decide if the "Remember Me" feature should be enabled or not. Keep reading - this article to know how to enable this feature conditionally. - -``always_remember_me`` - (default value: ``false``) If ``true``, the value of the ``remember_me_parameter`` - is ignored and the "Remember Me" feature is always enabled, regardless of the - desire of the end user. +``key`` (default value: ``null``) + The value used to encrypt the cookie's content. It's common to use the + ``secret`` value defined in the ``app/config/parameters.yml`` file. + +``name`` (default value: ``REMEMBERME``) + The name of the cookie used to maintain the user logged in. If you enable the + "Remember Me" feature in several firewalls of the same application, make sure + to choose a different name for the cookie of each firewall. Otherwise, you'll + face lots of security related problems. + +``lifetime`` (default value: ``31536000``) + The number of seconds during which the user will remain logged in. By default + users are logged in for one year. + +``path`` (default value: ``/``) + The path where the cookie associated with this feature is used. By default + the cookie will be applied to the entire website but you can restrict to a + specific section (e.g. ``/forum``, ``/admin``). + +``domain`` (default value: ``null``) + The domain where the cookie associated with this feature is used. By default + cookies use the current domain obtained from ``$_SERVER``. + +``secure`` (default value: ``false``) + If ``true``, the cookie associated with this feature is sent to the user + through an HTTPS secure connection. + +``httponly`` (default value: ``true``) + If ``true``, the cookie associated with this feature is accessible only + through the HTTP protocol. This means that the cookie won't be accessible + by scripting languages, such as JavaScript. + +``remember_me_parameter`` (default value: ``_remember_me``) + The name of the form field checked to decide if the "Remember Me" feature + should be enabled or not. Keep reading this article to know how to enable + this feature conditionally. + +``always_remember_me`` (default value: ``false``) + If ``true``, the value of the ``remember_me_parameter`` is ignored and the + "Remember Me" feature is always enabled, regardless of the desire of the + end user. Forcing the User to Opt-Out of the Remember Me Feature ------------------------------------------------------