What happens when user object is serialized, unserialized and implements EquatableInterface needs clarification or a rewrite.

[tetranz]

http://symfony.com/doc/current/cookbook/security/entity_provider.html#understanding-serialize-and-how-a-user-is-saved-in-the-session

Related issue: [Security] Change of username / password does not cause logout

I think that "bug" is really a documentation issue. People read the documentation and expect to be redirected to the login page if isEqualTo() returns false. If I understand correctly, what really happens is that the authentication token is invalidated but you are not logged out as the docs suggest. A new token is created the next time AuthorizationCheckerInterface::isGranted() is called.

It's a confusing subject. I could have a go at rewriting it but I think it would be best to come from someone with a deep understanding of Symfony security.

[ThePeterMick]

Changing the value of isEnabled() from true to false behind the scenes will get the user logged out immediately. So in this case - it does behave as per the current docs - other scenarios do not behave as described by the docs.

[ThePeterMick]

@tetranz Suggest updating the title of this to remove EquatableInterface part as this happens for all scenarios including those that do not implement EquatableInterface and instead implement Advanced / UserInterface. Just so we don't narrow it down to that interface specifically.

[johnutzm]

Found this in Authentication Success and Failure Events:

When a provider attempts authentication but fails (i.e. throws an AuthenticationException)

I used the EquatableInterface to trigger checking for changes. My User class looks like this:

class User implements AdvancedUserInterface, EquatableInterface
{
    public function isEqualTo(UserInterface $user)
    {
        if ($this->password !== $user->getPassword()) {
            throw new AuthenticationException('Password has changed');
        }

        return true;
    }
}

It's working!

[javiereguiluz]

Closing because we've just merged a complete refactorization of security docs in #10423. We've decided to reduce the explanations about EquatableInterface.