We are using the PersistentTokenBasedRememberMeServices service together with the DoctrineTokenProvider class to manage "remember me" tokens. The idea behind the service is to update the token hash after each usage, so the same token cannot be used twice.

Now, if you have a "remember me" cookie and request a page that includes an ESI fragment, both the main request and the ESI request will trigger the auto-login process. However, after the main request has used the token, the hash is changed and the cookie is regenerated. By the time the ESI request is processed, the "remember me" token can no longer be verified (CookieTheftException) and the cookie is deleted in the loginFail method.

If the user was successfully authenticated based on the "remember me" cookie in the main request, the response will contain the updated "remember me" cookie as well as a session cookie. Should these cookies not be passed to the ESI request?