With the following relevant configuration in security.yml:
security:
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern:
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: true
logout_on_user_change: true
remember_me:
secret: '%secret%'
secure: true
httponly: true
lifetime: 31536000
The remember me session token is only lasting for the browser session rather than the year as specified in the configuration. Could this be due to the secure: true setting? My development machine doesn't have any TLS installed, so could that be the culprit? Or is there something else I should be looking for? From looking at the documentation, it looks like I'm setting things up correctly, so I'm at a bit of a loss.
Turns out my gut feeling about secure: true was correct. I set it to false during a test, and the cookie was correct. Since my development machine doesn't have SSL/TLS, it can't send a secure cookie if that's what's configured. It should work on my production server, given I do have working SSL/TLS in that environment.