How to check if an user is logged in Symfony2 inside a controller?

symfony login symfony-security
JeanValjean picture JeanValjean · Apr 22, 2012 · Viewed 125.4k times · Source

I read here how to check the login status of an user by inside a twig template for a Symfony2-based website. However, I need to know how to check if the user is logged in from inside a controller. I was quite sure the the following code was right:

$user = $this->get('security.context')->getToken()->getUser();

but it always return something, e.g. a logged user or an anonymous user.

Any idea? Thanks in advance.

Answer

Bryson picture Bryson · Oct 20, 2012

Warning: Checking for 'IS_AUTHENTICATED_FULLY' alone will return false if the user has logged in using "Remember me" functionality.

According to Symfony 2 documentation, there are 3 possibilities:

IS_AUTHENTICATED_ANONYMOUSLY - automatically assigned to a user who is in a firewall protected part of the site but who has not actually logged in. This is only possible if anonymous access has been allowed.

IS_AUTHENTICATED_REMEMBERED - automatically assigned to a user who was authenticated via a remember me cookie.

IS_AUTHENTICATED_FULLY - automatically assigned to a user that has provided their login details during the current session.

Those roles represent three levels of authentication:

If you have the IS_AUTHENTICATED_REMEMBERED role, then you also have the IS_AUTHENTICATED_ANONYMOUSLY role. If you have the IS_AUTHENTICATED_FULLY role, then you also have the other two roles. In other words, these roles represent three levels of increasing "strength" of authentication.

I ran into an issue where users of our system that had used "Remember Me" functionality were being treated as if they had not logged in at all on pages that only checked for 'IS_AUTHENTICATED_FULLY'.

The answer then is to require them to re-login if they are not authenticated fully, or to check for the remembered role:

$securityContext = $this->container->get('security.authorization_checker');
if ($securityContext->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
    // authenticated REMEMBERED, FULLY will imply REMEMBERED (NON anonymous)
}

Hopefully, this will save someone out there from making the same mistake I made. I used this very post as a reference when looking up how to check if someone was logged in or not on Symfony 2.

Source: http://symfony.com/doc/2.3/cookbook/security/remember_me.html#forcing-the-user-to-re-authenticate-before-accessing-certain-resources

Related questions

How to go back to referer after login failure?

For login success there is a parameter use_referer: true. For login failure there is only failure_path, which isn't what I'm looking for. Second thing: How to do that and pass error message? Third thing: How to go back …

Read More
FOSUserBundle redirect from login page after logged in

I simply want that if admin user or front end user try to access login page even after logged in /admin/login (admin user) OR /login (front end user) then they should be redirected back to their related home page …

Read More
Disable CSRF token on login form

I am using Symfony2.0 and FOSUserBundle, and would like to disable the csrf token on my login form. I have disabled the csrf protection globally on my website in my config.yml: framework: csrf_protection: enabled: false This is working …

Read More