Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to Customize Access Denied Responses, and "remember me" #19663

Open
pauljura opened this issue Mar 12, 2024 · 0 comments
Open

How to Customize Access Denied Responses, and "remember me" #19663

pauljura opened this issue Mar 12, 2024 · 0 comments
Labels
Security

Comments

@pauljura
Copy link

Hi folks, this page https://symfony.com/doc/current/security/access_denied_handler.html makes no mention of users authenticated with "remember me". I think it should be made more clear that "remember me" is treated the same as unauthenticated for the purpose of deciding whether to redirect to login or display a 403 forbidden.

I suggest changing from:

If the user is authenticated ...

to:

Only if the user is fully authenticated (note: "remember me" does not count as fully authenticated)

or something along those lines.

Also, the section below that contains:

... that is called whenever an unauthenticated user tries to access a protected resource

is misleading and should be changed. Instead of "unauthenticated users" it really should say "not fully authenticated users".

Side note, I disagree with the current behaviour (I think users authenticated with "remember me" should count as "authenticated"), but it is what it is and I think the docs should make it clear so future developers don't get surprised.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xabbuh @pauljura