Home » Php » php – Redirect loop of death in Symfony2 security

php – Redirect loop of death in Symfony2 security

Posted by: admin July 12, 2020 Leave a comment

Questions:

I have an admin area with login that we are forcing to https://. Hitting the route /admin should redirect to the login page if the user isn’t logged in, but I’m getting an endless redirect loop. Not sure what’s wrong, here’s security.yml:

firewalls: 
        admin_login:
            pattern:  ^/admin/secured/login$
            security: false

        admin_secured_area:
            pattern: ^/admin
            provider: entity_admin
            form_login:
                check_path: /admin/secured/login_check
                login_path: /admin/secured/login
                default_target_path: /admin
            logout:
                path:   /admin/secured/logout
                target: /

    access_control:
        - { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

Thanks for your help!

How to&Answers:

No need for a “admin_login” section in firewalls. But it looks like you forgot anonymous parameter..

firewalls:     
        admin_secured_area:
            anonymous: ~
            pattern: ^/admin
            provider: entity_admin
            form_login:
                check_path: /admin/secured/login_check
                login_path: /admin/secured/login
                default_target_path: /admin
            logout:
                path:   /admin/secured/logout
                target: /

    access_control:
        - { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

As I said in my comment, do you set ROLE_ADMIN role for logged users ?

EDIT: Does your routing state HTTPS channel too for admin section ?

Answer:

After quick look I would say that something like this below should be correct:

firewalls: 
    admin_secured_area:
        pattern:  ^/admin
        provider: entity_admin
        form_login:
            check_path: /admin/secured/login_check
            login_path: /admin/secured/login
            default_target_path: /admin
        logout:
            path:   /admin/secured/logout
            target: /

access_control:
    - { path: ^/admin/secured/(login|login_check|logout)$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
    - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

Anyway, if this not help, I recommend to check the redirects with built-in profiler (tabs with route matches and logs), to turn it on the redirects change config_dev.yml to:

web_profiler:
    toolbar: true
    intercept_redirects: true

Answer:

Hi so this is related to the way that Symfony2 $request->isSecure() checks for SSL when the site is under a load balancer, there are some inconsistent header names in PHP. The config file needs the following:

trusted_proxies: [10.0.0.0/8]

It now works, but I don’t know if there are security issues with this setting though.

Answer:

^/admin/secured/login_check should by authenticated anonymously too as users won’t have a role when they originally call that page, hence the loop.

Answer:

Remove :

admin_login:
            pattern:  ^/admin/secured/login$
            security: false