Dead lock of authentication

[NikolaySl]

On each request Symfony2 refreshes user object (ContextListener::handle): search for user in LDAP and compares user object with stored in session ( AbstractToken::hasUserChanged). If objects are not equal then token is marked as not authenticated(AbstractToken::setUser) and Symfony2 tries to authenticate user by token (AccessListener::handle) . But token has no information about user password and LDAP bind operation leads to “Bad credentials” error.

As soon as token is valid it's not erased. This leads to dead lock until session information will be erased.

[BorisMorel]

Right. I check how to fix it

[BorisMorel]

@NikolaySl I have two ways :

• The function LdaUser::isEqualTo never check if the user has changed. return true in all cases
• Don't purge the user password from the token.

Any opinion ?

[NikolaySl]

Hey @BorisMorel,

• This won't resolve issue completely (potential problem is in AbstractToken::hasUserChanged); I think returning the parameter in LdapUserProvider::refreshUser is more convenient. This approach can be optional - application owner could set flag in parameters.yml and bundle won't do any refresh requests for user. It solves referenced feature request but introduce some security risk - user roles could be changed during the session.
• Yes, it will solve problem but it's not secure;default Memory/DB providers hash password and store hashed value which is secure

I'd prefer to force user to logout somehow. Is it possible to throw AuthenticationCredentialsNotFoundException when token is re-authenticated in AccessListener::handle ( somewhere in LdapAuthenticationProvider::authenticate) ? I can't find a way how to distinguish anonymous bind (without password) from token expiration situation.