use same route for login_path and check_path

Author: Henry Snoek

best_practices/security.rst

@@ -57,8 +57,8 @@ which uses a login form to load users from the database:
                 pattern: ^/
                 anonymous: true
                 form_login:
-                    check_path: security_login_check
-                    login_path: security_login_form
+                    check_path: login
+                    login_path: login
 
                 logout:
                     path: security_logout

cookbook/security/csrf_in_login_form.rst

@@ -92,7 +92,7 @@ using the login form:
         {# src/AppBundle/Resources/views/Security/login.html.twig #}
 
         {# ... #}
-        <form action="{{ path('login_check') }}" method="post">
+        <form action="{{ path('login') }}" method="post">
             {# ... the login fields #}
 
             <input type="hidden" name="_csrf_token"
@@ -107,7 +107,7 @@ using the login form:
         <!-- src/AppBundle/Resources/views/Security/login.html.php -->
 
         <!-- ... -->
-        <form action="<?php echo $view['router']->generate('login_check') ?>" method="post">
+        <form action="<?php echo $view['router']->generate('login') ?>" method="post">
             <!-- ... the login fields -->
 
             <input type="hidden" name="_csrf_token"

cookbook/security/form_login.rst

@@ -234,7 +234,7 @@ redirect to the URL defined by some ``account`` route, use the following:
             <div>{{ error.message }}</div>
         {% endif %}
 
-        <form action="{{ path('login_check') }}" method="post">
+        <form action="{{ path('login') }}" method="post">
             <label for="username">Username:</label>
             <input type="text" id="username" name="_username" value="{{ last_username }}" />
 
@@ -253,7 +253,7 @@ redirect to the URL defined by some ``account`` route, use the following:
             <div><?php echo $error->getMessage() ?></div>
         <?php endif ?>
 
-        <form action="<?php echo $view['router']->generate('login_check') ?>" method="post">
+        <form action="<?php echo $view['router']->generate('login') ?>" method="post">
             <label for="username">Username:</label>
             <input type="text" id="username" name="_username" value="<?php echo $last_username ?>" />
 

cookbook/security/form_login_setup.rst

@@ -26,8 +26,8 @@ First, enable form login under your firewall:
                 main:
                     anonymous: ~
                     form_login:
-                        login_path: /login
-                        check_path: /login_check
+                        login_path: login
+                        check_path: login
 
     .. code-block:: xml
 
@@ -42,7 +42,7 @@ First, enable form login under your firewall:
             <config>
                 <firewall name="main">
                     <anonymous />
-                    <form-login login-path="/login" check-path="/login_check" />
+                    <form-login login-path="/login" check-path="/login" />
                 </firewall>
             </config>
         </srv:container>
@@ -55,8 +55,8 @@ First, enable form login under your firewall:
                 'main' => array(
                     'anonymous'  => null,
                     'form_login' => array(
-                        'login_path' => '/login',
-                        'check_path' => '/login_check',
+                        'login_path' => 'login',
+                        'check_path' => 'login',
                     ),
                 ),
             ),
@@ -82,8 +82,8 @@ bundle::
     {
     }
 
-Next, create two routes: one for each of the paths you configured earlier
-under your ``form_login`` configuration (``/login`` and ``/login_check``):
+Next, create a route for the path you configured earlier
+under your ``form_login`` configuration (``/login``):
 
 .. configuration-block::
 
@@ -98,34 +98,20 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``):
         class SecurityController extends Controller
         {
             /**
-             * @Route("/login", name="login_route")
+             * @Route("/login", name="login")
              */
             public function loginAction(Request $request)
             {
             }
-
-            /**
-             * @Route("/login_check", name="login_check")
-             */
-            public function loginCheckAction()
-            {
-                // this controller will not be executed,
-                // as the route is handled by the Security system
-            }
         }
 
     .. code-block:: yaml
 
         # app/config/routing.yml
-        login_route:
+        login:
             path:     /login
             defaults: { _controller: AppBundle:Security:login }
 
-        login_check:
-            path: /login_check
-            # no controller is bound to this route
-            # as it's handled by the Security system
-
     .. code-block:: xml
 
         <!-- app/config/routing.xml -->
@@ -135,13 +121,9 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``):
             xsi:schemaLocation="http://symfony.com/schema/routing
                 http://symfony.com/schema/routing/routing-1.0.xsd">
 
-            <route id="login_route" path="/login">
+            <route id="login" path="/login">
                 <default key="_controller">AppBundle:Security:login</default>
             </route>
-
-            <route id="login_check" path="/login_check" />
-            <!-- no controller is bound to this route
-                 as it's handled by the Security system -->
         </routes>
 
     ..  code-block:: php
@@ -151,14 +133,10 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``):
         use Symfony\Component\Routing\Route;
 
         $collection = new RouteCollection();
-        $collection->add('login_route', new Route('/login', array(
+        $collection->add('login', new Route('/login', array(
             '_controller' => 'AppBundle:Security:login',
         )));
 
-        $collection->add('login_check', new Route('/login_check'));
-        // no controller is bound to this route
-        // as it's handled by the Security system
-
         return $collection;
 
 Great! Next, add the logic to ``loginAction`` that will display the login
@@ -220,7 +198,7 @@ Finally, create the template:
             <div>{{ error.messageKey|trans(error.messageData, 'security') }}</div>
         {% endif %}
 
-        <form action="{{ path('login_check') }}" method="post">
+        <form action="{{ path('login') }}" method="post">
             <label for="username">Username:</label>
             <input type="text" id="username" name="_username" value="{{ last_username }}" />
 
@@ -243,7 +221,7 @@ Finally, create the template:
             <div><?php echo $error->getMessage() ?></div>
         <?php endif ?>
 
-        <form action="<?php echo $view['router']->generate('login_check') ?>" method="post">
+        <form action="<?php echo $view['router']->generate('login') ?>" method="post">
             <label for="username">Username:</label>
             <input type="text" id="username" name="_username" value="<?php echo $last_username ?>" />
 
@@ -269,7 +247,7 @@ Finally, create the template:
 
 The form can look like anything, but has a few requirements:
 
-* The form must POST to ``/login_check``, since that's what you configured
+* The form must POST to ``/login``, since that's what you configured
   under the ``form_login`` key in ``security.yml``.
 
 * The username must have the name ``_username`` and the password must have
@@ -297,7 +275,7 @@ To review the whole process:
    user to the login form (``/login``);
 #. The ``/login`` page renders login form via the route and controller created
    in this example;
-#. The user submits the login form to ``/login_check``;
+#. The user submits the login form to ``/login``;
 #. The security system intercepts the request, checks the user's submitted
    credentials, authenticates the user if they are correct, and sends the
    user back to the login form if they are not.
@@ -324,12 +302,11 @@ When setting up your login form, watch out for a few common pitfalls.
 1. Create the Correct Routes
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-First, be sure that you've defined the ``/login`` and ``/login_check``
-routes correctly and that they correspond to the ``login_path`` and
-``check_path`` config values. A misconfiguration here can mean that you're
-redirected to a 404 page instead of the login page, or that submitting
-the login form does nothing (you just see the login form over and over
-again).
+First, be sure that you've defined the ``/login`` route correctly and that
+it corresponds to the ``login_path`` and``check_path`` config values.
+A misconfiguration here can mean that you're redirected to a 404 page instead
+of the login page, or that submitting the login form does nothing (you just see
+the login form over and over again).
 
 2. Be Sure the Login Page Isn't Secure (Redirect Loop!)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -472,14 +449,14 @@ for the login page:
             ),
         ),
 
-3. Be Sure /login_check Is Behind a Firewall
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+3. Be Sure check_path Is Behind a Firewall
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Next, make sure that your ``check_path`` URL (e.g. ``/login_check``) is behind
+Next, make sure that your ``check_path`` URL (e.g. ``/login``) is behind
 the firewall you're using for your form login (in this example, the single
-firewall matches *all* URLs, including ``/login_check``). If ``/login_check``
+firewall matches *all* URLs, including ``/login``). If ``/login``
 doesn't match any firewall, you'll receive a ``Unable to find the controller
-for path "/login_check"`` exception.
+for path "/login"`` exception.
 
 4. Multiple Firewalls Don't Share the Same Security Context
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

cookbook/security/remember_me.rst

@@ -152,7 +152,7 @@ this:
             <div>{{ error.message }}</div>
         {% endif %}
 
-        <form action="{{ path('login_check') }}" method="post">
+        <form action="{{ path('login') }}" method="post">
             <label for="username">Username:</label>
             <input type="text" id="username" name="_username" value="{{ last_username }}" />
 
@@ -172,7 +172,7 @@ this:
             <div><?php echo $error->getMessage() ?></div>
         <?php endif ?>
 
-        <form action="<?php echo $view['router']->generate('login_check') ?>" method="post">
+        <form action="<?php echo $view['router']->generate('login') ?>" method="post">
             <label for="username">Username:</label>
             <input type="text" id="username"
                    name="_username" value="<?php echo $last_username ?>" />

reference/configuration/security.rst

@@ -129,10 +129,10 @@ Each part will be explained in the next section.
                         provider: some_key_from_above
                     form_login:
                         # submit the login form here
-                        check_path: /login_check
+                        check_path: login
 
                         # the user is redirected here when they need to log in
-                        login_path: /login
+                        login_path: login
 
                         # if true, forward the user to the login form instead of redirecting
                         use_forward: false
@@ -252,7 +252,7 @@ The Login Form and Process
 login_path
 ..........
 
-**type**: ``string`` **default**: ``/login``
+**type**: ``string`` **default**: ``login``
 
 This is the route or path that the user will be redirected to (unless ``use_forward``
 is set to ``true``) when they try to access a protected resource but isn't
@@ -265,7 +265,7 @@ you may create a redirect loop. For details, see
 check_path
 ..........
 
-**type**: ``string`` **default**: ``/login_check``
+**type**: ``string`` **default**: ``login``
 
 This is the route or path that your login form must submit to. The firewall
 will intercept any requests (``POST`` requests only, by default) to this