Tip. Check config_prod.yml for subtle configuration differences.
I encountered the same problem when testing the prod environment on my local machine; while I could authenticate to dev, I could not authenticate to prod, which gave the error mentioned by OP:
security.INFO: Authentication request failed: Your session has timed-out, or you have disabled cookies. [] []
Bit turned off cookies cookies made me think.
Then I checked the network tab in my browser and reached the peak of my request / response for the page. I noticed that a session cookie is provided in the server response, but was not sent by the browser in the request.
Then I had my aha moment:
I used secure cookies in an unencrypted connection
On our production server, all unencrypted traffic is redirected to the TLS connection, so it makes sense to use secure cookies in the prod environment; in config_prod.yml :
framework: session: cookie_secure: true
The effect is that secure will be added to the session cookie:
Set-Cookie:PHPSESSID=66117caf467ef2bf8efee373b52449ba; path=/; secure; HttpOnly
Relevant browser / agent users:
will not send a cookie with the secure flag set on an unencrypted HTTP request.
The fact that php session processing does not know or care about a safe flag (it was added by Symfony), so a session cookie can be sent over an unencrypted connection and the browser (or at least Chrome 35) will - in an incomprehensible form - actually use secure cookie received through an insecure / unencrypted connection. I assume that it is not so difficult, it is the responsibility of the servers to cancel the sessions, and not from browsers.
Decision
I install https on my local computer so that I can test the prod environment without the need for configuration with configuration. Executing https-only production-only connections simplified my team, but worked a little.
Take away: higher parity between local and derivatives is usually better!