Login to bookmark this video
Buy Access to Course
11.

Adding Remember Me

Share this awesome video!

|

Keep on Learning!

With a Subscription, click any sentence in the script to jump to that part of the video!

Login Subscribe

Go back to the HTML form: it has one other field that we haven't talked about yet: the "remember me" checkbox:

37 lines | templates/security/login.html.twig
// ... lines 1 - 10
{% block body %}
<form class="form-signin" method="post">
// ... lines 13 - 26
<div class="checkbox mb-3">
<label>
<input type="checkbox" value="remember-me"> Remember me
</label>
</div>
// ... lines 32 - 34
</form>
{% endblock %}

You could check & uncheck this to your heart's delight: that works great. But... checking it does... nothing. No worries: making this actually work is super easy - just two steps.

First, make sure that your checkbox has no value and that its name is _remember_me:

37 lines | templates/security/login.html.twig
// ... lines 1 - 10
{% block body %}
<form class="form-signin" method="post">
// ... lines 13 - 26
<div class="checkbox mb-3">
<label>
<input type="checkbox" name="_remember_me"> Remember me
</label>
</div>
// ... lines 32 - 34
</form>
{% endblock %}

That's the magic name that Symfony will look for. Second, in security.yaml, under your firewall, add a new remember_me section. Add two other keys below this. The first is required: secret set to %kernel.secret%:

40 lines | config/packages/security.yaml
security:
// ... lines 2 - 8
firewalls:
// ... lines 10 - 12
main:
// ... lines 14 - 22
remember_me:
secret: '%kernel.secret%'
// ... lines 25 - 40

Second, lifetime set to 2592000, which is 30 days in seconds:

40 lines | config/packages/security.yaml
security:
// ... lines 2 - 8
firewalls:
// ... lines 10 - 12
main:
// ... lines 14 - 22
remember_me:
secret: '%kernel.secret%'
lifetime: 2592000 # 30 days in seconds
// ... lines 26 - 40

This option is... optional - it defaults to one year.

More about Parameters

As soon as you add this key, if the user checks a checkbox whose name is _remember_me, then a "remember me" cookie will be instantly set and used to log in the user if their session expires. This secret option is a cryptographic secret that's used to sign the data in that cookie. If you ever need a cryptographic secret, Symfony has a parameter called kernel.secret. Remember: anything surrounded by percent signs is a parameter. We never created this parameter directly: this is one of those built-in parameters that Symfony always makes available.

To see a list of all of the parameters, don't forget this handy command:

php bin/console debug:container --parameters

The most important ones start with kernel. Check out kernel.secret. Interesting, it's set to %env(APP_SECRET)%. This means that it's set to the environment variable APP_SECRET. That's one of the variables that's configured in our .env file.

Anyways, let's try this out! I'll re-open my inspector and refresh the login page. Go to Application, Cookies. Right now, there is only one: PHPSESSID.

This time, check the "remember me" box and log in. Now we also have a REMEMBERME cookie! And, check this out: I'm logged in as spacebar1@example.com. Delete the PHPSESSID - it currently starts with q3 - and refresh. Yes! We are still logged in!

A totally new session was created - with a new id. But even though this new session is empty, the remember me cookie causes us to stay logged in. You can even see that there's a new Token class called RememberMeToken. That's a low-level detail, but, it's a nice way to prove that this just worked.

Next - we've happily existed so far without storing or checking user passwords. Time to change that!