symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
+7-1Lines changed: 7 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
+7-1Lines changed: 7 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php
+8-1Lines changed: 8 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php
+8-1Lines changed: 8 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/CHANGELOG.md
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/Security/CHANGELOG.md
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/RememberMeBadge.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/RememberMeBadge.php
+25-16Lines changed: 25 additions & 16 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/RememberMeBadge.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/RememberMeBadge.php
+25-16Lines changed: 25 additions & 16 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/CheckRememberMeConditionsListener.php
Copy file name to clipboard
+79Lines changed: 79 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/EventListener/CheckRememberMeConditionsListener.php
Copy file name to clipboard
+79Lines changed: 79 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/RememberMeListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/EventListener/RememberMeListener.php
+6-19Lines changed: 6 additions & 19 deletions b/‎src/Symfony/Component/Security/Http/EventListener/RememberMeListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/EventListener/RememberMeListener.php
+6-19Lines changed: 6 additions & 19 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/EventListener/CheckRememberMeConditionsListenerTest.php
Copy file name to clipboard
+101Lines changed: 101 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Tests/EventListener/CheckRememberMeConditionsListenerTest.php
Copy file name to clipboard
+101Lines changed: 101 additions & 0 deletions
@@ -132,11 +132,17 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
                 ->addTag('security.remember_me_handler', ['firewall' => $firewallName]);
         }
 
+        // create check remember me conditions listener (which checks if a remember me cookie is supported and requested)
+        $rememberMeConditionsListenerId = 'security.listener.check_remember_me_conditions.'.$firewallName;
+        $container->setDefinition($rememberMeConditionsListenerId, new ChildDefinition('security.listener.check_remember_me_conditions'))
+            ->replaceArgument(0, array_intersect_key($config, ['always_remember_me' => true, 'remember_me_parameter' => true]))
+            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
+        ;
+
         // create remember me listener (which executes the remember me services for other authenticators and logout)
         $rememberMeListenerId = 'security.listener.remember_me.'.$firewallName;
         $container->setDefinition($rememberMeListenerId, new ChildDefinition('security.listener.remember_me'))
             ->replaceArgument(0, new Reference($rememberMeHandlerId))
-            ->replaceArgument(1, array_intersect_key($config, ['always_remember_me' => true, 'remember_me_parameter' => true]))
             ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
         ;
 
 
@@ -14,6 +14,7 @@
 use Symfony\Bundle\SecurityBundle\RememberMe\FirewallAwareRememberMeHandler;
 use Symfony\Component\Security\Core\Signature\SignatureHasher;
 use Symfony\Component\Security\Http\Authenticator\RememberMeAuthenticator;
+use Symfony\Component\Security\Http\EventListener\CheckRememberMeConditionsListener;
 use Symfony\Component\Security\Http\EventListener\RememberMeListener;
 use Symfony\Component\Security\Http\RememberMe\PersistentRememberMeHandler;
 use Symfony\Component\Security\Http\RememberMe\RememberMeHandlerInterface;
@@ -61,11 +62,17 @@
             ])
         ->alias(RememberMeHandlerInterface::class, 'security.authenticator.firewall_aware_remember_me_handler')
 
+        ->set('security.listener.check_remember_me_conditions', CheckRememberMeConditionsListener::class)
+            ->abstract()
+            ->args([
+                abstract_arg('options'),
+                service('logger')->nullOnInvalid(),
+            ])
+
         ->set('security.listener.remember_me', RememberMeListener::class)
             ->abstract()
             ->args([
                 abstract_arg('remember me handler'),
-                abstract_arg('options'),
                 service('logger')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
 
@@ -4,6 +4,7 @@ CHANGELOG
 5.3
 ---
 
+ * Add `RememberMeConditionsListener` to check if remember me is requested and supported, and set priority of `RememberMeListener` to -63
  * Add `Core\Signature\SignatureHasher` and moved `Http\LoginLink\ExpiredLoginLinkStorage` to `Core\Signature\ExpiredLoginLinkStorage`
  * Add `RememberMeHandlerInterface` and implementations, used as a replacement of `RememberMeServicesInterface` when using the AuthenticatorManager
  * Add `TokenDeauthenticatedEvent` that is dispatched when the current security token is deauthenticated
 
@@ -14,14 +14,9 @@
 /**
  * Adds support for remember me to this authenticator.
  *
- * Remember me cookie will be set if *all* of the following are met:
- *  A) This badge is present in the Passport
- *  B) The remember_me key under your firewall is configured
- *  C) The "remember me" functionality is activated. This is usually
- *      done by having a _remember_me checkbox in your form, but
- *      can be configured by the "always_remember_me" and "remember_me_parameter"
- *      parameters under the "remember_me" firewall key
- *  D) The authentication process returns a success Response object
+ * The presence of this badge doesn't create the remember me cookie. The actual
+ * cookie is only created if this badge is enabled. By default, this is done
+ * by the {@see RememberMeConditionsListener} if all conditions are met.
  *
  * @author Wouter de Jong <wouter@wouterj.nl>
  *
@@ -30,24 +25,38 @@
  */
 class RememberMeBadge implements BadgeInterface
 {
-    private $useRememberMe;
+    private $enabled = false;
 
     /**
-     * @param string|bool|null $saveRememberMe can be used to opt-in/out from remember me (e.g. using a checkbox on the login form)
+     * Enables remember me cookie creation.
+     *
+     * In most cases, {@see RememberMeConditionsListener} enables this
+     * automatically if always_remember_me is true or the remember_me_parameter
+     * exists in the request.
+     *
+     * @return $this
      */
-    public function __construct($useRememberMe = null)
+    public function enable(): self
     {
-        $this->useRememberMe = $useRememberMe;
+        $this->enabled = true;
+
+        return $this;
     }
 
-    public function setUseRememberMe(bool $useRememberMe)
+    /**
+     * Disables remember me cookie creation.
+     *
+     * The default is disabled, this can be called to suppress creation
+     * after it was enabled.
+     */
+    public function disable(): void
     {
-        $this->useRememberMe = $useRememberMe;
+        $this->enabled = false;
     }
 
-    public function getUseRememberMe(): ?bool
+    public function isEnabled(): bool
     {
-        return $this->useRememberMe;
+        return $this->enabled;
     }
 
     public function isResolved(): bool
 
@@ -0,0 +1,79 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Psr\Log\LoggerInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
+use Symfony\Component\Security\Http\Event\LoginFailureEvent;
+use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
+use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\Security\Http\RememberMe\RememberMeHandlerInterface;
+
+/**
+ * Checks if all conditions are met for remember me.
+ *
+ * The conditions that must be met for this listener to enable remember me:
+ *  A) This badge is present in the Passport
+ *  B) The remember_me key under your firewall is configured
+ *  C) The "remember me" functionality is activated. This is usually
+ *      done by having a _remember_me checkbox in your form, but
+ *      can be configured by the "always_remember_me" and "remember_me_parameter"
+ *      parameters under the "remember_me" firewall key (or "always_remember_me"
+ *      is enabled)
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @final
+ * @experimental in 5.3
+ */
+class CheckRememberMeConditionsListener implements EventSubscriberInterface
+{
+    private $options;
+    private $logger;
+
+    public function __construct(array $options = [], ?LoggerInterface $logger = null)
+    {
+        $this->options = $options + ['always_remember_me' => false, 'remember_me_parameter' => '_remember_me'];
+        $this->logger = $logger;
+    }
+
+    public function onSuccessfulLogin(LoginSuccessEvent $event): void
+    {
+        $passport = $event->getPassport();
+        if (!$passport->hasBadge(RememberMeBadge::class)) {
+            return;
+        }
+
+        /** @var RememberMeBadge $badge */
+        $badge = $passport->getBadge(RememberMeBadge::class);
+        if (!$this->options['always_remember_me']) {
+            $parameter = ParameterBagUtils::getRequestParameterValue($event->getRequest(), $this->options['remember_me_parameter']);
+            if (!('true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter)) {
+                if (null !== $this->logger) {
+                    $this->logger->debug('Remember me disabled; request does not contain remember me parameter ("{parameter}").', ['parameter' => $this->options['remember_me_parameter']]);
+                }
+
+                return;
+            }
+        }
+
+        $badge->enable();
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [LoginSuccessEvent::class => ['onSuccessfulLogin', -32]];
+    }
+}
@@ -37,13 +37,11 @@
 class RememberMeListener implements EventSubscriberInterface
 {
     private $rememberMeHandler;
-    private $options;
     private $logger;
 
-    public function __construct(RememberMeHandlerInterface $rememberMeHandler, array $options = [], ?LoggerInterface $logger = null)
+    public function __construct(RememberMeHandlerInterface $rememberMeHandler, ?LoggerInterface $logger = null)
     {
         $this->rememberMeHandler = $rememberMeHandler;
-        $this->options = $options + ['always_remember_me' => false, 'remember_me_parameter' => '_remember_me'];
         $this->logger = $logger;
     }
 
@@ -63,23 +61,12 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
 
         /** @var RememberMeBadge $badge */
         $badge = $passport->getBadge(RememberMeBadge::class);
-        if (!$this->options['always_remember_me']) {
-            if (false === $badge->getUseRememberMe()) {
-                if (null !== $this->logger) {
-                    $this->logger->debug('Did not send remember-me cookie; remember-me was opted-out by the first argument of RememberMeBadge.');
-                }
-
-                return;
+        if (!$badge->isEnabled()) {
+            if (null !== $this->logger) {
+                $this->logger->debug('Remember me skipped: the RememberMeBadge is not enabled.');
             }
 
-            $parameter = ParameterBagUtils::getRequestParameterValue($event->getRequest(), $this->options['remember_me_parameter']);
-            if (!('true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter)) {
-                if (null !== $this->logger) {
-                    $this->logger->debug('Did not send remember-me cookie; request does not contain remember me parameter ("{parameter}").', ['parameter' => $this->options['remember_me_parameter']]);
-                }
-
-                return;
-            }
+            return;
         }
 
         if (null !== $this->logger) {
@@ -97,7 +84,7 @@ public function clearCookie(): void
     public static function getSubscribedEvents(): array
     {
         return [
-            LoginSuccessEvent::class => 'onSuccessfulLogin',
+            LoginSuccessEvent::class => ['onSuccessfulLogin', -64],
             LoginFailureEvent::class => 'clearCookie',
             LogoutEvent::class => 'clearCookie',
             TokenDeauthenticatedEvent::class => 'clearCookie',
 
@@ -0,0 +1,101 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\EventListener;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\User\User;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+use Symfony\Component\Security\Http\EventListener\CheckRememberMeConditionsListener;
+
+class CheckRememberMeConditionsListenerTest extends TestCase
+{
+    private $listener;
+    private $request;
+    private $response;
+
+    protected function setUp(): void
+    {
+        $this->listener = new CheckRememberMeConditionsListener();
+        $this->request = Request::create('/login');
+        $this->request->request->set('_remember_me', true);
+        $this->response = new Response();
+    }
+
+    public function testSuccessfulLoginWithoutSupportingAuthenticator()
+    {
+        $passport = $this->createPassport([]);
+
+        $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
+
+        $this->assertFalse($passport->hasBadge(RememberMeBadge::class));
+    }
+
+    public function testSuccessfulLoginWithoutRequestParameter()
+    {
+        $this->request = Request::create('/login');
+        $passport = $this->createPassport();
+
+        $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
+
+        $this->assertFalse($passport->getBadge(RememberMeBadge::class)->isEnabled());
+    }
+
+    public function testSuccessfulLoginWhenRememberMeAlwaysIsTrue()
+    {
+        $passport = $this->createPassport();
+        $listener = new CheckRememberMeConditionsListener(['always_remember_me' => true]);
+
+        $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
+
+        $this->assertTrue($passport->getBadge(RememberMeBadge::class)->isEnabled());
+    }
+
+    /**
+     * @dataProvider provideRememberMeOptInValues
+     */
+    public function testSuccessfulLoginWithOptInRequestParameter($optInValue)
+    {
+        $this->request->request->set('_remember_me', $optInValue);
+        $passport = $this->createPassport();
+
+        $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
+
+        $this->assertTrue($passport->getBadge(RememberMeBadge::class)->isEnabled());
+    }
+
+    public function provideRememberMeOptInValues()
+    {
+        yield ['true'];
+        yield ['1'];
+        yield ['on'];
+        yield ['yes'];
+        yield [true];
+    }
+
+    private function createLoginSuccessfulEvent(PassportInterface $passport)
+    {
+        return new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), $passport, $this->createMock(TokenInterface::class), $this->request, $this->response, 'main_firewall');
+    }
+
+    private function createPassport(array $badges = null)
+    {
+        return new SelfValidatingPassport(new UserBadge('test', function ($username) { return new User($username, null); }), $badges ?? [new RememberMeBadge()]);
+    }
+}