How to Customize Access Denied Responses, and "remember me"

[pauljura]

Hi folks, this page https://symfony.com/doc/current/security/access_denied_handler.html makes no mention of users authenticated with "remember me". I think it should be made more clear that "remember me" is treated the same as unauthenticated for the purpose of deciding whether to redirect to login or display a 403 forbidden.

I suggest changing from:

If the user is authenticated ...

to:

Only if the user is fully authenticated (note: "remember me" does not count as fully authenticated)

or something along those lines.

Also, the section below that contains:

... that is called whenever an unauthenticated user tries to access a protected resource

is misleading and should be changed. Instead of "unauthenticated users" it really should say "not fully authenticated users".

Side note, I disagree with the current behaviour (I think users authenticated with "remember me" should count as "authenticated"), but it is what it is and I think the docs should make it clear so future developers don't get surprised.

[carsonbot]

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

[carsonbot]

Hello? This issue is about to be closed if nobody replies.

[carsonbot]

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!