Skip to content

Add info about storing remember me tokens in a database #11392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 12, 2019
Merged

Add info about storing remember me tokens in a database #11392

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 115 additions & 6 deletions security/remember_me.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,12 +125,8 @@ The ``remember_me`` firewall defines the following configuration options:
end user.

``token_provider`` (default value: ``null``)
Defines the service id of a token provider to use. By default, tokens are
stored in a cookie. For example, you might want to store the token in a
database, to not have a (hashed) version of the password in a cookie. The
DoctrineBridge comes with a
``Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider`` that
you can use.
Defines the service id of a token provider to use. If you want to store tokens
in the database, see :ref:`token_in_database`.

Forcing the User to Opt-Out of the Remember Me Feature
------------------------------------------------------
Expand Down Expand Up @@ -261,3 +257,116 @@ your controller using annotations::

For more information on securing services or methods in this way,
see :doc:`/security/securing_services`.

.. _token_in_database:

Storing Remember Me Tokens in the Database
------------------------------------------

By default, tokens are stored in a cookie. You can choose to store the token in a database,
to not have a (hashed) version of the password in a cookie.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why (hashed) with parenthesis?

also, is it really the password? or like an hash?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why (hashed) with parenthesis?

This was just copied from the original description, I'm not sure why the parenthesis is needed

also, is it really the password? or like an hash?

It's a hashed version of the password

The DoctrineBridge comes with a
:class:`Symfony\\Bridge\\Doctrine\\Security\\RememberMe\\DoctrineTokenProvider` class
that you can use. In order to use the ``DoctrineTokenProvider``, you first
need to register it as a service:

.. configuration-block::

.. code-block:: yaml

# app/config/services.yml
services:
# ...

Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider: ~

.. code-block:: xml

<!-- app/config/services.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd">

<services>
<service id="Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider" />
</services>
</container>

.. code-block:: php

// app/config/services.php
use Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider;

$container->register(DoctrineTokenProvider::class);

The ``DoctrineTokenProvider`` makes use of a database table to store the tokens.
You need to ensure the following table exists in your database:

.. code-block:: sql

CREATE TABLE `rememberme_token` (
`series` char(88) UNIQUE PRIMARY KEY NOT NULL,
`value` char(88) NOT NULL,
`lastUsed` datetime NOT NULL,
`class` varchar(100) NOT NULL,
`username` varchar(200) NOT NULL
);

Then you need to set the ``token_provider`` option of the ``remember_me`` config
to the service you just created:

.. configuration-block::

.. code-block:: yaml

# app/config/security.yml
security:
# ...

firewalls:
main:
# ...
remember_me:
# ...
token_provider: '@Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider'

.. code-block:: xml

<!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:srv="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd">

<config>
<!-- ... -->

<firewall name="main">
<!-- ... -->

<remember-me
token_profider="@Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider"
/>
</firewall>
</config>
</srv:container>

.. code-block:: php

// app/config/security.php
$container->loadFromExtension('security', [
// ...

'firewalls' => [
'main' => [
// ...
'remember_me' => [
// ...
'token_provider' => '@Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider',
],
],
],
]);