Wrong advice in "How to load Security Users from the Database (the Entity Provider)" cookbook entry

[fberci]

The cookbook recommends implementing a custom serialize() method on your User object that only persists the id. However, this creates an unexpected issue. As the cookbook says, the User object will be refreshed after deserialization, but because the username field (among others) is missing from the deserialized object, Symfony will detect that the object has changed, and therefore it will set the token's authenticated flag to false. This should not happen.

The creators of the FOSBundle have also noticed this issue, please see their comment.

[wouterj]

When not implementing the EquatableInterface, the hasUserChanged method uses the username, password and salt to compare the user. These three should be serialized.

When not having a custom entity user repositroy, the EntityUserProvider uses the identifier to refresh a user.

So at least 4 properties should be serialized: $this->username, $this->password, $this->salt and $this->id. The first example in the cookbook referenced in the start should be updated to follow this.

[weaverryan]

Fixed up now - thanks very much Bertalan for the report - this was a good one!