Secure all urls in Symfony2
I am using Symfony 2.6.6. And my structure folder
ExampleBundle
Controller
LoginController.php
Other1Controller.php
Other2Controller.php
...
LoginController
has loginAction()
and will loginCheckAction()
loginAction()
display a registration form and loginCheckAction()
to verify this.
I see several tutorials for creating LoginController.php
. After the user logs in using validation, I set:
$session->set('login', $login);
My goal: All users must be logged in before accessing the entire page of my web application.
But my site has a lot of controllers and actions (pages).
My idea : check 'login' session exists in all Action of all Controller and redirects the login action if it doesn't exist.
But I think this is too tame. What's the best way to do this with Symfony?
Update 1:
After this I am trying to add some code to my file security.yml
. It is redirected to the login page if the user is not registered, but it is always redirected to the login page. I want the user to be logged in (has a "login" section), he can access other pages. how to do it thanks
# .../security.html
security:
firewalls:
ex_login:
pattern: ^/ex/login$
anonymous: ~
security: false
secured_area:
pattern: ^/ex
form_login:
check_path: /ex/logincheck
login_path: /ex/login
logout:
path: /ex/logout
target: /ex
update 2
here is mineLogin Controller
loginAction() {
$session = $this->getRequest()->getSession();
if ($session->has('login')) {
//redirect to home/index
}else {
//render login form
}
}
logincheckAction(Request $request) {
if($request->getMethod()=='POST') {
// check user input (username && password) in database
if (ok){
$session->set('login', 'true');
//redirect to home/index
}
else {
//redirect to login/index
}
}else {
//redirect to login/index
}
}
logoutAction() {
//remove login session
// redirect to login/index
}
Here is my Other1Controller.php
indexAction(){
echo 'page1';
}
It is always redirected to the login page. After I fill in my field and ask to login, is it still redirected to the login page? how can i fix this thanks.
source to share
My idea is to protect all urls, unless some needs are related to registration and logout
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
Make sure every user has at least ROLE_USER
source to share