Issue Description: Split Authentication State Between PHPMaker and Symfony Security

PHPMaker General Discussion (PHPMaker)
1

Issue Description: Split Authentication State Between PHPMaker and Symfony Security

This issue usually occurs after the user logs in, after some time has passed, and after an error that happens during code development. Once that error is fixed, this problem appears...

I’m experiencing a very confusing authentication inconsistency in a hybrid system that combines PHPMaker’s internal security layer with Symfony Security (firewalls + authenticators).

Problem Summary

After a user successfully logs in, everything appears to work correctly inside the PHPMaker-generated part of the application. The session contains all expected PHPMaker-related authentication data, and the user is considered logged in.

However, as soon as I navigate to parts of the application that rely on Symfony Security, the authentication state is completely missing.

This leads to a situation where:

  • In PHPMaker-controlled pages → user is logged in :check_mark:
  • In Symfony-controlled pages → user is NOT authenticated :cross_mark:
  • Security::getToken() returns null
  • isGranted() returns false
  • Symfony session security keys like _security.main do not exist
  • Only unrelated session values like _security.last_username or _security.main.target_path exist

So effectively, the system behaves as if there are two separate authentication contexts, and only one of them is active depending on the part of the system being executed.

Observed Behavior

When debugging the session, I see the following:

  • Symfony security session keys are partially present:

    • _security.last_username
    • _security.main.target_path

  • But the actual security token storage is missing:

    • _security.mainnull

  • Symfony security token is also missing:

    • $this->security->getToken()null

  • Access checks fail:

    • isGranted()false

Additionally, none of the expected Symfony security lifecycle events are triggered:

  • AuthenticationSuccessHandler is never called
  • AuthenticationTokenCreatedEvent is never fired
  • Custom authenticators (AbstractLoginFormAuthenticator) are not consistently executed or appear to be bypassed

What I Have Already Tested

I investigated the issue from multiple angles:

  1. Checked Symfony firewall configuration

    • Verified main firewall uses a custom authenticator
    • Confirmed session-based firewall (stateless: false)

  2. Debugged authentication flow

    • Added dumps inside authenticate()
    • Added dumps inside onAuthenticationSuccess()
    • Added listeners for authentication events

  3. Inspected session state

    • Confirmed _security.main is missing
    • Confirmed only partial _security.* keys exist

  4. Verified security token

    • Security::getToken() returns null immediately after login

  5. Reviewed login implementation

    • PHPMaker has its own login/session mechanism running in parallel

Key Suspicion

It appears that PHPMaker is managing authentication independently from Symfony Security, and Symfony is either:

  • Not being fully engaged during login, or
  • Losing its security token immediately after request transition, or
  • Operating in a different session scope than PHPMaker’s login system

This results in a split-brain authentication state:

  • PHPMaker session = authenticated user
  • Symfony Security context = anonymous user

What I Need Help With

I am trying to understand:

  • Why Symfony Security is not persisting the authentication token
  • Whether PHPMaker session handling is bypassing or overwriting Symfony session storage
  • How to properly synchronize PHPMaker authentication with Symfony firewall
  • Whether a custom authenticator is being ignored or not registered correctly in the firewall lifecycle

If anyone has experience integrating PHPMaker authentication with Symfony Security, or has seen similar “half-authenticated session” behavior, I would really appreciate guidance.

2

I was forced to add this code at the end of the onKernelRequest function to work around the issue until the developer fixes it.

src\AppEventSubscriber.php

public function onKernelRequest(RequestEvent $event): void
{
	// Previous code...

	if ($user === null) {
		$phpmakerUser = $this->security->currentUserName();
		$phpmakerStatus = $session->get(SESSION_STATUS);

		if ($phpmakerUser && $phpmakerStatus === 'login') {
			try {
				$provider = null;
				$providers = ServiceLocator('security.user_providers')->getProviders();
				foreach ($providers as $p) {
					if ($p instanceof \Symfony\Component\Security\Core\User\UserProviderInterface) {
						$provider = $p;
						break;
					}
				}

				if ($provider) {
					$user = $provider->loadUserByIdentifier($phpmakerUser);
					if ($user) {
						$newToken = new UsernamePasswordToken($user, 'main', $user->getRoles());
						$this->tokenStorage->setToken($newToken);
						$session->set('_security_main', serialize($newToken));
						$this->profile->setUser($user);
						$this->security->login();

						// Also create a JWT token.
						try {
							$jwtManager = ServiceLocator('lexik_jwt_authentication.jwt_manager');
							$jwtToken = $jwtManager->create($user);
							$session->set('_jwt_token', $jwtToken);
						} catch (\Exception $e) {
							// If JWT is not created, do nothing.
						}
					}
				}
			} catch (\Exception $e) {
				// do nothing.
			}
		}
	}
}