How to Build a Login Form

How to Build a Login Form

See also

If you’re looking for the form_login firewall option, see Using the form_login Authentication Provider.

Ready to create a login form? First, make sure you’ve followed the main Security Guide to install security and create your User class.

Generating the Login Form

Creating a powerful login form can be bootstrapped with the make:auth command from MakerBundle. Depending on your setup, you may be asked different questions and your generated code may be slightly different:

  1. $ php bin/console make:auth
  3. What style of authentication do you want? [Empty authenticator]:
  4.  [0] Empty authenticator
  5.  [1] Login form authenticator
  6. > 1
  8. The class name of the authenticator to create (e.g. AppCustomAuthenticator):
  9. > LoginFormAuthenticator
  11. Choose a name for the controller class (e.g. SecurityController) [SecurityController]:
  12. > SecurityController
  14. Do you want to generate a '/logout' URL? (yes/no) [yes]:
  15. > yes
  17.  created: src/Security/LoginFormAuthenticator.php
  18.  updated: config/packages/security.yaml
  19.  created: src/Controller/SecurityController.php
  20.  created: templates/security/login.html.twig

New in version 1.8: Support for login form authentication was added to make:auth in MakerBundle 1.8.

This generates the following: 1) login/logout routes & controller, 2) a template that renders the login form, 3) a Guard authenticator class that processes the login submit and 4) updates the main security config file.

Step 1. The /login//logout routes & controller:

  1. // src/Controller/SecurityController.php
  2. namespace App\Controller;
  4. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  5. use Symfony\Component\HttpFoundation\Response;
  6. use Symfony\Component\Routing\Annotation\Route;
  7. use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
  9. class SecurityController extends AbstractController
  10. {
  11.     /**
  12.      * @Route("/login", name="app_login")
  13.      */
  14.     public function login(AuthenticationUtils $authenticationUtils): Response
  15.     {
  16.         // if ($this->getUser()) {
  17.         //     return $this->redirectToRoute('target_path');
  18.         // }
  20.         // get the login error if there is one
  21.         $error = $authenticationUtils->getLastAuthenticationError();
  22.         // last username entered by the user
  23.         $lastUsername = $authenticationUtils->getLastUsername();
  25.         return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]);
  26.     }
  28.     /**
  29.      * @Route("/logout", name="app_logout")
  30.      */
  31.     public function logout(): void
  32.     {
  33.         throw new \LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
  34.     }
  35. }

Edit the security.yaml file in order to declare the /logout path:

  • YAML

    1. # config/packages/security.yaml
    2. security:
    3.     # ...
    5.     firewalls:
    6.         main:
    7.             # ...
    8.             logout:
    9.                 path: app_logout
    10.                 # where to redirect after logout
    11.                 # target: app_any_route

  • XML

    1. <!-- config/packages/security.xml -->
    2. <?xml version="1.0" encoding="UTF-8" ?>
    3. <srv:container xmlns="http://symfony.com/schema/dic/security"
    4.     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    5.     xmlns:srv="http://symfony.com/schema/dic/services"
    6.     xsi:schemaLocation="http://symfony.com/schema/dic/services
    7.         https://symfony.com/schema/dic/services/services-1.0.xsd">
    9.     <config>
    10.         <!-- ... -->
    11.         <firewall name="main">
    12.             <!-- ... -->
    13.             <logout path="app_logout"/>
    14.         </firewall>
    15.     </config>
    16. </srv:container>

  • PHP

    1. // config/packages/security.php
    2. $container->loadFromExtension('security', [
    3.     // ...
    4.     'firewalls' => [
    5.         'main' => [
    6.             // ...
    7.             'logout' => [
    8.                 'path' => 'app_logout',
    9.                 // where to redirect after logout
    10.                 'target' => 'app_any_route'
    11.             ],
    12.         ],
    13.     ],
    14. ]);

Step 2. The template has very little to do with security: it generates a traditional HTML form that submits to /login:

  1. {% extends 'base.html.twig' %}
  3. {% block title %}Log in!{% endblock %}
  5. {% block body %}
  6. <form method="post">
  7.     {% if error %}
  8.         <div class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</div>
  9.     {% endif %}
  11.     {% if app.user %}
  12.         <div class="mb-3">
  13.             You are logged in as {{ app.user.username }}, <a href="{{ path('app_logout') }}">Logout</a>
  14.         </div>
  15.     {% endif %}
  17.     <h1 class="h3 mb-3 font-weight-normal">Please sign in</h1>
  18.     <label for="inputEmail">Email</label>
  19.     <input type="email" value="{{ last_username }}" name="email" id="inputEmail" class="form-control" required autofocus>
  20.     <label for="inputPassword">Password</label>
  21.     <input type="password" name="password" id="inputPassword" class="form-control" required>
  23.     <input type="hidden" name="_csrf_token"
  24.            value="{{ csrf_token('authenticate') }}"
  25.     >
  27.     {#
  28.         Uncomment this section and add a remember_me option below your firewall to activate remember me functionality.
  29.         See https://symfony.com/doc/current/security/remember_me.html
  31.         <div class="checkbox mb-3">
  32.             <label>
  33.                 <input type="checkbox" name="_remember_me"> Remember me
  34.             </label>
  35.         </div>
  36.     #}
  38.     <button class="btn btn-lg btn-primary" type="submit">
  39.         Sign in
  40.     </button>
  41. </form>
  42. {% endblock %}

Step 3. The Guard authenticator processes the form submit:

  1. // src/Security/LoginFormAuthenticator.php
  2. namespace App\Security;
  4. use App\Entity\User;
  5. use Doctrine\ORM\EntityManagerInterface;
  6. use Symfony\Component\HttpFoundation\RedirectResponse;
  7. use Symfony\Component\HttpFoundation\Request;
  8. use Symfony\Component\HttpFoundation\Response;
  9. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  11. use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
  12. use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
  13. use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
  14. use Symfony\Component\Security\Core\Security;
  15. use Symfony\Component\Security\Core\User\UserInterface;
  16. use Symfony\Component\Security\Core\User\UserProviderInterface;
  17. use Symfony\Component\Security\Csrf\CsrfToken;
  18. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  19. use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
  20. use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
  21. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  23. class LoginFormAuthenticator extends AbstractFormLoginAuthenticator implements PasswordAuthenticatedInterface
  24. {
  25.     use TargetPathTrait;
  27.     public const LOGIN_ROUTE = 'app_login';
  29.     private $entityManager;
  30.     private $urlGenerator;
  31.     private $csrfTokenManager;
  32.     private $passwordEncoder;
  34.     public function __construct(EntityManagerInterface $entityManager, UrlGeneratorInterface $urlGenerator, CsrfTokenManagerInterface $csrfTokenManager, UserPasswordEncoderInterface $passwordEncoder)
  35.     {
  36.         $this->entityManager = $entityManager;
  37.         $this->urlGenerator = $urlGenerator;
  38.         $this->csrfTokenManager = $csrfTokenManager;
  39.         $this->passwordEncoder = $passwordEncoder;
  40.     }
  42.     public function supports(Request $request): bool
  43.     {
  44.         return self::LOGIN_ROUTE === $request->attributes->get('_route')
  45.             && $request->isMethod('POST');
  46.     }
  48.     public function getCredentials(Request $request)
  49.     {
  50.         $credentials = [
  51.             'email' => $request->request->get('email'),
  52.             'password' => $request->request->get('password'),
  53.             'csrf_token' => $request->request->get('_csrf_token'),
  54.         ];
  55.         $request->getSession()->set(
  56.             Security::LAST_USERNAME,
  57.             $credentials['email']
  58.         );
  60.         return $credentials;
  61.     }
  63.     public function getUser($credentials, UserProviderInterface $userProvider): ?User
  64.     {
  65.         $token = new CsrfToken('authenticate', $credentials['csrf_token']);
  66.         if (!$this->csrfTokenManager->isTokenValid($token)) {
  67.             throw new InvalidCsrfTokenException();
  68.         }
  70.         $user = $this->entityManager->getRepository(User::class)->findOneBy(['email' => $credentials['email']]);
  72.         if (!$user) {
  73.             // fail authentication with a custom error
  74.             throw new CustomUserMessageAuthenticationException('Email could not be found.');
  75.         }
  77.         return $user;
  78.     }
  80.     public function checkCredentials($credentials, UserInterface $user): bool
  81.     {
  82.         return $this->passwordEncoder->isPasswordValid($user, $credentials['password']);
  83.     }
  85.     /**
  86.      * Used to upgrade (rehash) the user's password automatically over time.
  87.      */
  88.     public function getPassword($credentials): ?string
  89.     {
  90.         return $credentials['password'];
  91.     }
  93.     public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey): ?Response
  94.     {
  95.         if ($targetPath = $this->getTargetPath($request->getSession(), $providerKey)) {
  96.             return new RedirectResponse($targetPath);
  97.         }
  99.         // For example : return new RedirectResponse($this->urlGenerator->generate('some_route'));
  100.         throw new \Exception('TODO: provide a valid redirect inside '.__FILE__);
  101.     }
  103.     protected function getLoginUrl(): string
  104.     {
  105.         return $this->urlGenerator->generate(self::LOGIN_ROUTE);
  106.     }
  107. }

Step 4. Updates the main security config file to enable the Guard authenticator and configure logout route:

  • YAML

    1. # config/packages/security.yaml
    2. security:
    3.     # ...
    5.     firewalls:
    6.         main:
    7.             # ...
    8.             guard:
    9.                 authenticators:
    10.                     - App\Security\LoginFormAuthenticator
    11.             logout:
    12.                 path: app_logout

  • XML

    1. <!-- config/packages/security.xml -->
    2. <?xml version="1.0" encoding="UTF-8" ?>
    3. <srv:container xmlns="http://symfony.com/schema/dic/security"
    4.     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    5.     xmlns:srv="http://symfony.com/schema/dic/services"
    6.     xsi:schemaLocation="http://symfony.com/schema/dic/services
    7.         https://symfony.com/schema/dic/services/services-1.0.xsd">
    9.     <config>
    10.         <!-- ... -->
    11.         <firewall name="main">
    12.             <!-- ... -->
    13.             <guard>
    14.                 <authenticator class="App\Security\LoginFormAuthenticator"/>
    15.             </guard>
    16.             <logout path="app_logout"/>
    17.         </firewall>
    18.     </config>
    19. </srv:container>

  • PHP

    1. // config/packages/security.php
    2. use App\Security\LoginFormAuthenticator;
    4. $container->loadFromExtension('security', [
    5.     // ...
    6.     'firewalls' => [
    7.         'main' => [
    8.             // ...,
    9.             'guard' => [
    10.                 'authenticators' => [
    11.                     LoginFormAuthenticator::class,
    12.                 ]
    13.             ],
    14.             'logout' => [
    15.                 'path' => 'app_logout',
    16.             ],
    17.         ],
    18.     ],
    19. ]);

Finishing the Login Form

Woh. The make:auth command just did a lot of work for you. But, you’re not done yet. First, go to /login to see the new login form. Feel free to customize this however you want.

When you submit the form, the LoginFormAuthenticator will intercept the request, read the email (or whatever field you’re using) & password from the form, find the User object, validate the CSRF token and check the password.

But, depending on your setup, you’ll need to finish one or more TODOs before the whole process works. You will at least need to fill in where you want your user to be redirected after success:

  1.   // src/Security/LoginFormAuthenticator.php
  3.   // ...
  4.   public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey): Response
  5.   {
  6.       // ...
  8. -     throw new \Exception('TODO: provide a valid redirect inside '.__FILE__);
  9. +     // redirect to some "app_homepage" route - of wherever you want
  10. +     return new RedirectResponse($this->urlGenerator->generate('app_homepage'));
  11.   }

Unless you have any other TODOs in that file, that’s it! If you’re loading users from the database, make sure you’ve loaded some dummy users. Then, try to login.

If you’re successful, the web debug toolbar will tell you who you are and what roles you have:

../_images/symfony_loggedin_wdt.png

The Guard authentication system is powerful, and you can customize your authenticator class to do whatever you need. To learn more about what the individual methods do, see Custom Authentication System with Guard (API Token Example).

Controlling Error Messages

You can cause authentication to fail with a custom message at any step by throwing a custom Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException. But in some cases, like if you return false from checkCredentials(), you may see an error that comes from the core of Symfony - like Invalid credentials..

To customize this message, you could throw a CustomUserMessageAuthenticationException instead. Or, you can translate the message through the security domain:

  • XML

    1. <!-- translations/security.en.xlf -->
    2. <?xml version="1.0" encoding="UTF-8" ?>
    3. <xliff version="1.2" xmlns="urn:oasis:names:tc:xliff:document:1.2">
    4.     <file source-language="en" datatype="plaintext" original="file.ext">
    5.         <body>
    6.             <trans-unit id="Invalid credentials.">
    7.                 <source>Invalid credentials.</source>
    8.                 <target>The password you entered was invalid!</target>
    9.             </trans-unit>
    10.         </body>
    11.     </file>
    12. </xliff>

  • YAML

    1. # translations/security.en.yaml
    2. 'Invalid credentials.': 'The password you entered was invalid!'

  • PHP

    1. // translations/security.en.php
    2. return [
    3.     'Invalid credentials.' => 'The password you entered was invalid!',
    4. ];

If the message isn’t translated, make sure you’ve installed the translator and try clearing your cache:

  1. $ php bin/console cache:clear

Redirecting to the Last Accessed Page with TargetPathTrait

The last request URI is stored in a session variable named _security.<your providerKey>.target_path (e.g. _security.main.target_path if the name of your firewall is main). Most of the times you don’t have to deal with this low level session variable. However, the Symfony\Component\Security\Http\Util\TargetPathTrait utility can be used to read (like in the example above) or set this value manually.

When the user tries to access a restricted page, they are being redirected to the login page. At that point target path will be set. After a successful login, the user will be redirected to this previously set target path.

If you also want to apply this behavior to public pages, you can create an event subscriber to set the target path manually whenever the user browses a page:

  1. // src/EventSubscriber/RequestSubscriber.php
  2. namespace App\EventSubscriber;
  4. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  5. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  6. use Symfony\Component\HttpKernel\Event\RequestEvent;
  7. use Symfony\Component\HttpKernel\KernelEvents;
  8. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  10. class RequestSubscriber implements EventSubscriberInterface
  11. {
  12.     use TargetPathTrait;
  14.     private $session;
  16.     public function __construct(SessionInterface $session)
  17.     {
  18.         $this->session = $session;
  19.     }
  21.     public function onKernelRequest(RequestEvent $event): void
  22.     {
  23.         $request = $event->getRequest();
  24.         if (
  25.             !$event->isMasterRequest()
  26.             || $request->isXmlHttpRequest()
  27.             || 'app_login' === $request->attributes->get('_route')
  28.         ) {
  29.             return;
  30.         }
  32.         $this->saveTargetPath($this->session, 'main', $request->getUri());
  33.     }
  35.     public static function getSubscribedEvents(): array
  36.     {
  37.         return [
  38.             KernelEvents::REQUEST => ['onKernelRequest']
  39.         ];
  40.     }
  41. }

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.