More form_login Config
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeUsing form_login isn't as flexible as a custom authenticator class... though a lot of stuff can be configured.
For example, right now, it's not checking our CSRF token. Enable that by saying enable_csrf: true:
| security: | |
| // ... lines 2 - 16 | |
| firewalls: | |
| // ... lines 18 - 20 | |
| main: | |
| // ... lines 22 - 24 | |
| form_login: | |
| // ... lines 26 - 29 | |
| enable_csrf: true | |
| // ... lines 31 - 54 |
That's it! Over in the options, when you enable CSRF protection, it looks for a hidden field called _csrf_token with the string authenticate used to generate it. Fortunately, in our template, we're already using both of those things... so this is just going to work.
Seeing the Full List of Options
And there are even more ways we can configure this. Remember: to get this config, I ran debug:config security... which shows your current configuration, including defaults. But not all options are shown here. To see a full list, run config:dump security.
symfony console config:dump security
Instead of showing your actual config, this shows a huge list of example config. This is a much bigger list... here's form_login. A lot of this we saw before... but success_handler and failure_handler are both new. You can search the docs for these to learn how to control what happens after success or failure.
But also, later, we're going to learn about a more global way of hooking into the success or failure process by registering an event listener.
Rendering "last_username" On the Login Form
Anyways, we're not using our LoginFormAuthenticator anymore, so feel free to delete it.
And... I have good news! The core authenticator is doing one thing that our class never did! Up in authenticate()... this calls getCredentials() to read the POST data. Let me search for "session"... yup! This took me into getCredentials(). Anyways, after grabbing the submitted email - in this code that's stored as $credentials['username'] - it saves that value into the session.
It's doing that so that if authentication fails, we can read that and pre-fill the email box on the login form.
Let's do it! Go to our controller: src/Controller/SecurityController.php. This AuthenticationUtils has one other useful method. Pass a new variable to the template called last_username - you can call it last_email if you'd like - set to $authenticationUtils->getLastUsername():
| // ... lines 1 - 9 | |
| class SecurityController extends AbstractController | |
| { | |
| // ... lines 12 - 14 | |
| public function login(AuthenticationUtils $authenticationUtils): Response | |
| { | |
| return $this->render('security/login.html.twig', [ | |
| // ... line 18 | |
| 'last_username' => $authenticationUtils->getLastUsername(), | |
| ]); | |
| } | |
| // ... lines 22 - 29 | |
| } |
Once again, this is just a helper to read a specific key off of the session.
Now, in the template - login.html.twig - up here on the email field, add value="{{ last_username }} ":
| // ... lines 1 - 4 | |
| {% block body %} | |
| <div class="container"> | |
| <div class="row"> | |
| <div class="login-form bg-light mt-4 p-4"> | |
| <form method="post" class="row g-3"> | |
| // ... lines 10 - 15 | |
| <div class="col-12"> | |
| // ... line 17 | |
| <input type="email" name="email" id="inputEmail" class="form-control" value="{{ last_username }}" required autofocus> | |
| </div> | |
| // ... lines 20 - 33 | |
| </form> | |
| </div> | |
| </div> | |
| </div> | |
| {% endblock %} |
Cool! If we go to /login... it's already there from filling out the form a minute ago! If we enter a different email... yes! That sticks too.
Next: let's get back to authorization by learning how to deny access in a controller... in a number of different ways.
10 Comments
Hello,
When I use FormLoginAuthenticator(built-in) and try to login, the page is still redirecting login page. Authentication is succesfull but page is same.
We were coding redirect response in LoginFormAuthenticator(custom) as below. Did you configure anything for redirection in buil-in authenticator like custom authenticator? If not, why do I see same login page, do I have to configure authentictionsuccess also in buil-in?
Built-in Authenticator:
Hey Mahmut,
I didn't get why you send 2 different codes from
onAuthenticationSuccess().. .which is yours? I suppose you use the custom authenticator like that first code block, so I will assume that's your code. Maybe try to debug the flow withdd()? Make sure you hit thatreturn new RedirectResponse($this->router->generate('app_main_homepage',['username' => $username]));line on the successful login. If not - most probably you hit the earlier redirect which isreturn new RedirectResponse($target);. Probably you need to tweak the logic in youronAuthenticationSuccess()to make sure you redirect users to correct pages.I hope that helps!
Cheers!
Hi Victor,
Sorry for confusing. I am using below code during error. I mean if ı use built-in authenticator, it is redirecting same login page.
However, my custom login authenticator is working well.
Hey Mahmut,
The built-in authenticator can be configured via the configuration, but if you need more flexibility - better to go with your own custom authenticator where you can do whatever you want. Still you can debug the flow using
dd()- that should help to understand the flow and why it does not work as expected for you.Cheers!
I do not get the pre-filled email input once I have logged out. Is this normal? Is it because the session data has been erased at logout?
Hey Francois,
You can totally ignore that
value={{ last_username }}of course if it's not something you need. But the idea behind this thing is to keep the last username user entered - useful when they have misprint their credentials, e.g. password so they don't need to retype the username again and try a different password. That's a common practice on may websites over the internet, but that's totally up to you. Of course when you log out going to the /logout URL - the session will be destroyed and you will not see thatlast_usernameanymore.Cheers!
how can we implement this if we kept using the old
loginFormAuthonticatoron theonAuthenticationFailuremethod?Hey @Soufiyane!
Are you referring to how to print the "last username" thing? If so, the 2 steps are:
1) In your custom authenticator, in
authenticate(), after reading the email, call:2) In your controller, read that value in the same way as see in this chapter :).
Let me know if that helps!
Cheers!
Hi. I stayed with the custom login in my project. Can you show me how to add
$authenticationUtils-> getLastUsername(), in this case? In case withoutform_login: it didn't work :)Hey Leszek,
You only need to inject the service
Symfony\Component\Security\Http\Authentication\AuthenticationUtilsinto your Controller's method, or in case you need it in your authenticator, you can add another argument constructor and inject it thereCheers!
"Houston: no signs of life"
Start the conversation!