Simpler Programmatic Login
Contributed by
Arnaud Frézet
and Robin Chalas
in #41274.
Logging in users programmatically is a common need in many applications. That's
why in Symfony 6.2 we're adding a login() method to the Security service.
On any service or controller, you can now do this:
use Symfony\Component\Security\Core\Security;
// ...
class SomeService
{
public function __construct(
private Security $security,
) {
}
public function someMethod()
{
// fetch a UserInterface object somehow (e.g. from a database)
$user = ...
// login the user programmatically
$this->security->login($user);
// if you have many authenticators associated to the current firewall,
// you must pass explicitly the name of authenticator to use
$this->security->login($user, 'form_login');
$this->security->login($user, SomeApiKeyAuthenticator::class);
// ...
}
}Custom Target URL When Impersonating Users
Contributed by
Antoine Makdessi
in #46338.
Similar to the feature that allows to configure the target URL after login,
in Symfony 6.2 we're adding a new feature to allow you configure the target
URL after impersonating a user. To do so, define the new target_url
option under the switch_user option of your firewall:
# config/packages/security.yaml
security:
# ...
firewalls:
main:
# ...
switch_user:
# ...
target_url: https://example.com/...Custom Lifetime for Login Links
Contributed by
Mathias Brodala
in #46567.
When using login links to implement passwordless authentication, the lifetime
of those links is configured globally for all. In Symfony 6.2 we're adding a
feature so you can configure the lifetime per link. Use the third optional
argument of createLoginLink() to override the global lifetime with a new
custom value (in seconds):
// this login link will have a lifetime of 60 seconds
$loginLinkDetails = $loginLinkHandler->createLoginLink($user, null, 60);
$loginLink = $loginLinkDetails->getUrl();Multiple User Checkers per Firewall
Contributed by
Michael Babker
in #46064.
User checkers allow you to define additional checks performed during the authentication of a user, to verify if the identified user is allowed to log in. You can only apply one user checker per firewall, which makes it harder to share logic.
Imagine an application that has two firewalls (e.g. API and traditional web login) and needs to apply these checkers: for both firewalls, check that the user account is not disabled; for the API firewall, check also that user has API access.
In Symfony 6.2 we're introducing a new "chained user checker" feature so you can
call multiple user checkers for a firewall. To do so, apply to each user checker
the tags corresponding to the firewall where it applies (tags follow the
pattern security.user_checker.).
In Symfony 6.2, the previous example can be solved as follows:
namespace App\Security\User;
use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
#[Autoconfigure(tags: [['security.user_checker.main' => ['priority' => 10]]])]
#[Autoconfigure(tags: [['security.user_checker.api' => ['priority' => 10]]])]
final class DisabledAccountUserChecker implements UserCheckerInterface
{
// ...
}
#[Autoconfigure(tags: [['security.user_checker.api' => ['priority' => 5]]])]
final class ApiAccessAllowedUserChecker implements UserCheckerInterface
{
// ...
} <hr style="margin-bottom: 5px" />
<div style="font-size: 90%">
<a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
</div>Login to add comment
Other posts in this group
We were absolutely thrilled to gather with the incredible Symfony community for the first time in Vienna, Austria, from December 5th to 6th, surrounded by the warm and festive atmosphere of the
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
💻
Symfony has been active on X, Mastodon, and Bluesky for some time, but until recently, not all platforms received equal attention. Since Twitter (now X) was our first social network, all blog posts we
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.
As we are now unveiling th
Affected versions
Twig versions >=3.16.0,<3.19.0 are affected by this security issue.
The issue has been fixed in Twig 3.19.0.
Description
When using the null coalesce operator (??), output esc
Symfony 6.4.18 has just been released. Here is the list of the most important changes since 6.4.17:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
Symfony 7.1.11 has just been released. Here is the list of the most important changes since 7.1.10:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
