php symfony fosuserbundle symfony-3.4 server-configuration

Symfony3 loses user session instantly on login

I moved my Symfony3 app from shared hosting to a new VPS I just set up. When I try to log into the app (using a casual FOSUserBundle form), Symfony does log me in only to disconnect me on next page reload. Which is "instantly" because the first thing a successful login does, is redirect to a page.

What I tried :

I disabled redirection, which allows me to see I am connected on the 'login_check' page. I know this as the Symfony Debug Toolbar shows my name. Only not anymore after redirection.
I can see there is no PHPSESSID in my cookies anywhere at any time. I think it is the cookie in charge of keeping my Symfony session alive. So...
I tried different php scripts to check my VPS config. It does handle cookies and PHP sessions well.
I even installed a Wordpress in a subfolder, it handles my session and cookies perfectly.
The server folder Symfony uses to store sessions is the same used by Wordpress. And session files do appear on Symfony login attempt. (although sometimes they are just empty files...!?)
Upgrading FOSUB and Symfony to latest versions. No changes.

I'm using Symfony 3.4.6 and FOSUB 2.0.0. Any idea?

UPDATE: Security.yml

# https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

firewalls:
    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            check_path:     fos_user_security_check
            failure_path:   fos_user_security_login
            login_path: /fr/public/login
            default_target_path: app_homepage
        logout:
            path: fos_user_security_logout
            target: fos_user_security_login
        anonymous:    true


access_control:
    # Allow anonymous logging for these page:
    - { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/fr/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/fr/public/*, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/fr/lab, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/fr/help, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/cron, role: IS_AUTHENTICATED_ANONYMOUSLY }
    # Techs pages
    - { path: ^/_console, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/_wdt, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/_profiler, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/_error, role: IS_AUTHENTICATED_ANONYMOUSLY }
    # Staff only
    - { path: ^/fr/staff/, role: ROLE_STAFF }
    - { path: ^/fr/staff/*, role: ROLE_STAFF }
    # Admin only
    - { path: ^/fr/admin/, role: ROLE_ADMIN }
    - { path: ^/fr/admin/*, role: ROLE_ADMIN }
    # All other pages need to be logged
    - { path: ^/*, role: [IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED] }

Solution

So, the issue resides both in cookies and SSL. When installing my app on my new server, it took some time to transfer my SSL certificate, so the URL of my site was HTTP and not HTTPS.

The browser though, kept using a Symfony user session cookie called PHPSESSID that was added with the HTTPS protocol. For an unknown reason, the presence of this obsolete cookie prevented logging, without returning any error.

Plus I was using Firefox's EditThisCookie plugin which didn't show the presence of the PHPSESSID cookie. Although the browser still considered it.

So, for anyone experiencing the same (very specific) issue: Find and delete the PHPSESSID cookie that may be hard to find because not exactly under the same protocol. In Firefox: Web-debugger > Storage > Cookies.