Symfony version(s) affected: 4.1.3

Description

When using "Remember me" functionality, session is regenerated with every request. Due to concurrent requests done by browser session is effectively lost which leads to e.g. CSRF token mismatch.

Authentication is kept, user is still logged in (because of Remember me), but the session is lost.

In \Symfony\Component\Security\Http\Firewall\RememberMeListener::handle:87 following method is called \Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy::onAuthentication. With default session strategy migrate it leads to calling session_regenerate_id($destroy = true) in every request. Session ID is changed A->B with main request. For other requests done by browser session ID is B, but changed B->C, B->D etc.

How to reproduce

• use "Remember me" functionality
• login e.g using form
• make HTTP request, which makes browser request other resources responded by controller (not assets)
• you can check session ID changes every request and Cookie/Set-Cookie HTTP headers is set sent accordingly.

fragment from config/packages/security.yaml

            remember_me:
                secret: '%kernel.secret%'
                lifetime: 34128000
                #                secure: true
                always_remember_me: true
                user_provider: entity.user_account.email

Possible Solution

• set strategy to none (probably not safe) or
• authenticate user in RememberMeListener only if not already authenticated (according to Removing the session migration on SimplePreAuthenticationListener #27427 (comment))

Additional context

• full security.yml configuration
• might be related to Missing session values after upgrade to 4.1 #27640
• bug report is opposite to Login via "Remember me" does not regenerate session ID #15764 :-D