Symfony – Target path is null on cURL like user request

  authentication, facebook-opengraph, referer, symfony

I have an application with restricted access to the whole site, except for login and password recovery.
I’m trying to add to the login view open graph meta tags with data based on the referer address. To do that, I use the SymfonyComponentSecurityHttpUtilTargetPathTrait in the login action like this:

$referer = $this->getTargetPath($request->getSession(), 'main');

Locally, I use Open Graph Preview chrome add-on, and it works perfectly. As an anonymous user, I try to acces to a page, and then redirected to the login page. Here $referer is not null and I can retieve data I need to generate meta tags.

Now on test environment on my production server, with open graph chrome add-on, it still working. Share a link through Telegram, the preview is displayed as expected. But when I share the same link through Facebook messenger, I don’t get what I want.
Edit: doesn’t work with Discord and WhatsApp either.

I’ve made some test with the Facebook debugger, it appears that $referer is null and I don’t understand why. It looks like Symfony access control have a particular behavior when a Facebook service try to see a page, as no session data seems to be manage by the symfony security components.

The login feature of the application is quite simple as it follows the basics step described in the Symfony documentation.

Is anyone has a clue on what can I do to fix that? Meanwhile, I’m trying to find a workaround with Symfony events.

EDIT: I reproduced the issue localy, with a cURL request. In that case it appears no session is handled. SymfonyComponentSecurityHttpUtilTargetPathTrait::getTargetPath method is useless as Symfony store the target path in session.

So now, when an anonymous user try to request a restricted URL, I add the referer as a GET parameter to the redirect login URL.

Cool thing, now the preview works perfectly on Discord and still works on Telgram.

Sadly, it still doesn’t work on Facebook’s app (Messenger and Whatsapp).
So, I took a look on the facebook debugger tool. And here come the strange thing, the redirect url request by FB service is different than the one my application normally give.
Expected URL : https://domain.ext/login?referer=https://domain.ext/referer/path
URL requested by FB : https://domain.ext/login?randomCoherentParamName=intValue

The odd thing is that ‘randomCoherentParamName’ correspond to a route parameter from the referer URL.

Here how I generate the redirect URL:

// From a class that extends
// SymfonyComponentSecurityGuardAuthenticatorAbstractFormLoginAuthenticator
 * Override to control what happens when the user hits a secure page
 * but isn't logged in yet.
 * @return RedirectResponse
public function start(Request $request, AuthenticationException $authException = null)
    $url = $this->urlGenerator->generate('loginRoute', ['referer' => $request->getUri()]);

    return new RedirectResponse($url);

If anyone has a clue of what’s going on, I will appreciate any advice :).

Source: Symfony Questions