How I fixed exception ‘Bad credentials’ with FOSUserBundle

Waaaa, no fair, unexpected nasty bug message on prod? Boo.

Yup, this one just caught me out – and thankfully my good buddy, brother, and friend managed to pick it up whilst doing some ad-hoc Quality Assurance checks.

Disclaimer: This site may have been in prod, but only just, this was the first release to live 🙂 So no major foul.

Disclaimer part 2: Yes, there is now a passing Codeception acceptance test to make sure this never happens again 🙂

Ok, so this is the bug message (mainly for Google users benefit):

UPDATE `your_table_name` SET exception 'Symfony\Component\Security\Core\Exception\BadCredentialsException' with message 'Bad credentials' in /var/www/html/
 Stack trace: #0 /var/www/html/ session_start() #1 /var/www/html/ Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start() #2 /var/www/html/ Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->getBag('attributes') #3 /var/www/html/ Symfony\Component\HttpFoundation\Session\Session->get('_security_main') #4 /var/www/html/ Symfony\Component\Security\Http\Firewall\ContextListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #5 [internal function]: Symfony\Component\Security\Http\Firewall->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\EventDispatcher\ContainerAwareEventDispatcher)) #6 /var/www/html/ call_user_func(Array, Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\EventDispatcher\ContainerAwareEventDispatcher)) #7 /var/www/html/ Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(Array, 'kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #8 /var/www/html/ Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #9 /var/www/html/ Symfony\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #10 /var/www/html/ Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1) #11 /var/www/html/ Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #12 /var/www/html/ Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #13 /var/www/html/ Symfony\Component\HttpKernel\Kernel->handle(Object(Symfony\Component\HttpFoundation\Request)) #14 {main}

Lovely job.

Anyway, this was a pretty simple fix, even though there isn’t much about this on Google.

As part of this project, I needed to overwrite the default FOS User Bundle templates with my own. A pretty typical task tbh.

As it happened though, I had removed kept the FOS User Bundle error logic, but removed the translation part.

Something like this:

 {% trans_default_domain 'FOSUserBundle' %}
{% block fos_user_content %} {% if error %}
{{ error.messageKey|trans(error.messageData, 'security') }}
{% endif %}

And I had gone ahead and changed that in my template to something like this:

 {% block content %} {% if error %}
{{ error.messageKey|trans(error.messageData, 'security') }}
{% endif %} {% endblock %}

So I had removed the trans_default_domain, which in turn, was – as far as I can tell – then simply rendering out the full stack trace.

I’m not sure if FOSUserBundle catches that error, and then translates it? That seems kinda unusual to me.

Anyway, hopefully this saves someone some time, someday, some time soon 😉

Testing Sessions With Codeception

Testing sessions is a pain.

But it’s better to have pain when testing than pain when the site is live.

So test we must.

He was aiming for the bike

Ok, so as I’m all about Symfony 2, this is going to be an example of testing a Symfony 2 Service that makes use of Sessions.

First of all, we define our service so that the Symfony 2 Session (Symfony\Component\HttpFoundation\Session\Session) is injected for us.

        class: Our\BundleDir\OurBundle\Service\OurSessionManager
            - "@session"

Hoorah, nice and easy. Feel free to use whatever naming convention you like for your service. Personally I like to make it quite verbose, so it’s super easy to track down where that service lives when you return to your project in 6 months time.

If you’re wondering what other things can be injected, then this chapter of the Symfony docs is worth a read. Also, try using:

php app/console container:debug

on your command line.

So, we have our service definition. Now to make our service, and our associated test file.

The service itself:

namespace Our\BundleDir\OurBundle\Service;

use Symfony\Component\HttpFoundation\Session\SessionInterface;

class OurSessionManager
    const OUR_THING = 'our_thing';
    private $session;

    public function __construct (SessionInterface $sessionInterface)
        $this->session = $sessionInterface;
    public function setOurConstantThing($value)
        $this->session->set(self::OUR_THING, $value);

        return $this->session;

    public function getOurConstantThing()
        return $this->session->get(self::OUR_THING, '');

Your implementation can do whatever it likes. This example is deliberately convoluted to show off a few things.

Naughty, we wrote an implementation without writing some tests. Let’s fix that before we get in trouble.

class OurSessionManagerTest extends \Codeception\TestCase\Test
    private $serviceContainer;
    private $service;
    protected $codeGuy;

    protected function _before()
        $this->serviceContainer = $this->getModule('Symfony2')->container;
        $this->service = $this->serviceContainer->get('our_session_manager');

    protected function _after()

    public function testCanSetOurConstantThing()
        $session = $this->service->setOurConstantThing('my_value'); /** @var $session \Symfony\Component\HttpFoundation\Session\SessionInterface */



    public function testCanGetOurConstantThingWhenSet()


    public function testGetDefaultValueWhenAValueIsNotSet()


The third test is testing the following:

return $this->session->get(self::OUR_THING, '');

Essentially that’s saying, get me our thing, or return ” if our thing isn’t set. You’re free to return null, a default value, or whatever.

But the critical thing for testing sessions is the _after() method. This is killing off any residual session stuff, and then on each new test, starting with a blank slate – so to speak.

So, there we go. Testing sessions in codeception.