1

As I understand, When the user logs in successfully Symfony will keep a copy of the User document/entity either in the session.handler.native_file or a db provider, whichever is configured. On future requests this information is retrieved with the session id kept in the cookie.

My problem is whenever a user updates its password or username (which is their e-mail), previously opened sessions on different computers or browsers don't expire or as set as invalid.

The EquatableInterface is suppose to check against this but its not really working for me. As I added the following stub to the User class:

#User.php
public function isEqualTo(UserInterface $user)
{
    return false;
}

Followed by a refresh on the browser nothing changed. My session was still valid and checking the User fetch with a dump($this->getUser()) gave me the currently updated User and not the one was stored at the beginning of the session.

I tried using:

#security.yml
security:
    always_authenticate_before_granting: true

To if it would do anything, but it really didn't worked.

Using the Symfony Profiler, I see that a User is been fetch from the db every time I do a request and I wonder if it is at this point the the UserProviderInterface just updated the user in the security.token_storage instead of first checking against changes to end session if necessary.

To make sure this was happening I tested this controller on two different browsers:

#SomeController.php
public function indexAction()
{
    $encoder = $this->get('security.password_encoder');
    $user = $this->getUser();

    $flag = $encoder->isPasswordValid($user, 'MY_NEW_PASSWORD');

    dump($flag);

    return [];
}

I logged in to my application on both browsers, then logout on browser A. I changed the User password to 'MY_NEW_PASSWORD' and just refresh browser B. The dump was true for the new password.

If this is the case I wonder: - Is there anyway to make a check against the db before granting authorization when the User is been fetch from the security.token_storage? (It would be a service that is runs on the fetch event I guess.)

or maybe I'm over complicating stuff and there is a super simple solution that I just haven't figured out =|

Christopher Hoyos
  • 123
  • 1
  • 7
  • 1
    have you already see this http://stackoverflow.com/questions/27987089/invalidate-session-for-a-specific-user-in-symfony2 and this http://stackoverflow.com/questions/28805856/how-to-destroy-all-sessions-in-symfony-2 ? – Matteo Apr 29 '17 at 16:13
  • Hello, I saw both solutions and none of them worked (pretty sure i made it clear in the question). After some testing I think it has something to do the mongodb user provider(?) as whenever I test the `isEqualTo() ` and the password changed it will return false, but the `UserProvider` will still refresh the user. Now I think I should make my own service to provide the user. When it calls `refreshUser()` and in the case the `isEqualTo()` return false, throw a `UnsupportedUserException` to prevent force it to end session. – Christopher Hoyos Apr 30 '17 at 17:37

0 Answers0