11

I suppose eraseCredentials is meant for logout? If so how do I clear session from a Doctrine Entity?

Jiew Meng
  • 84,767
  • 185
  • 495
  • 805

2 Answers2

29

No, eraseCredentials() is meant for erasing sensitive data before persisting a token — be it serialization or a database.

To logout a user programmatically, you can use this:

$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
Elnur Abdurrakhimov
  • 44,533
  • 10
  • 148
  • 133
  • Yes, if your store them as plaintext. – Elnur Abdurrakhimov Dec 12 '11 at 13:38
  • Oh no I dont store them as plain text, but I think I should still remove them? – Jiew Meng Dec 13 '11 at 00:42
  • 4
    Don't remove anything that needs to be persisted. Some people store both an encrypted password and a temporary plaintext one. On persisting a user, they check the plaintext one, and if it's present, they encrypt it and store in the field for the encrypted one. The plaintext password is not meant to be persisted, so it's safe to erase it. If you don't erase it, it will be serialized into the user's session and will be exposed to other people — which negates all the benefits of encrypting passwords in the first place. – Elnur Abdurrakhimov Dec 13 '11 at 02:06
  • Oh i think for my purposes, i shldnt do anything. But I dont get why passwords are stored in clear text even temporarily, since you already implemented the authentication with encryption? How will you differentiate a password in clear text vs encrypted, suppose both happens to be of same length? And passwords should not be able to be decrypted? Hashing done 1 way? – Jiew Meng Dec 13 '11 at 07:50
0

In addition to what has been said by Elnur Abdurrakhimov, I suggest to check out this article, explaining how and why we should use UserInterface::eraseCredentials method. Basically, it's not good idea to reuse the password property for storing the plain text password and then to overwrite it with the encoded version, because it's prerequisite error - the programmer may forgot to encode the password and persist the object as is, storing plain text instead of encrypted password.

Community
  • 1
  • 1
stz184
  • 363
  • 3
  • 12