Entity Provider instructions (or code ) are incorrect in some cases.

I've seen a few reports (3 including myself) in the #symfony irc channel about being logged in, but not being authenticated (as per the profiler) since the documentation was changed.

They all say they followed the documentation here: http://symfony.com/doc/current/cookbook/security/entity_provider.html in regards to serializing only the id properties
of their entities.

As soon as they add username, salt, password fields (like the docs previously were).
then it lights up green and they are properly authenticated.

I'm not sure what is being done wrong (code or docs), so i'd like to see about pinning it
down. It seems to affect most 2.1.x versions including the current one (2.1.7). I'm not
at all sure about 2.0.x versions.

@weaverryan : according to @stof, the PR that was accepted to only use ID was incorrect.

let me actually mention the quote directly.

The issue is in the doc. The values used to compare the unserialized user and the reloaded user of course need to be kept when serializing, otherwise they will be different

[weaverryan]

@jrobeson - yes, it makes perfect sense now :), and it's absolutely a doc issue. There are multiple ways to do things, but if you follow the docs then:

1. The User is serialized with only the id on it (no username)

2. The user is reloaded using the id, so it reloads just fine.

3. The example isEqualTo is called on the unserialized User object (the one with only an id) and passed the new, refreshed User object. If this method returns false, the token is de-authenticated. That's where our mis-match happens :).

I've just pushed a fix to the 2.0 and 2.1 branches, which should fix things - but let me know if you have any issues with it.

Thanks for following up on this - it was definitely a real issue!

[dlin-me]

The docs are ok, you just need to implement the EquatableInterface interface. Otherwise the authenticated user in the token after unserialisation is not considered as the same of the current user and hence not 'Authenticated'

http://api.symfony.com/2.1/Symfony/Component/Security/Core/User/EquatableInterface.html

[MFFoX]

@dlin-me is right. I was having the same issue of a user not being authenticated after logging in successfully. I followed the exact instruction of the Cookbook Entity Provider documentation.

The solution (found here) was that the User entity needed to implement the EquatableInterface :

use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\EquatableInterface;

class User implements UserInterface, EquatableInterface
{

//...
public function isEqualTo(UserInterface $user)
    {
    return $this->id === $user->getId();
    }

//...
}

[stof]

@MFFoX your implementation of isEqualTo does not really make sense IMO. Its goal is to decide whether the user must authenticate again if the user serialized in the session does not match the user retrieved from the DB. It generally makes sense to force reauthenticated if the username or the hashed passwords are different (i.e. they have been modified from another part of the system)