Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Symfony 2 UserInterface::equals($user): Comparing for re-authentication

Tags:

authentication

symfony

From the UserInterface class

interface UserInterface {
    /**
     * The equality comparison should neither be done by referential equality
     * nor by comparing identities (i.e. getId() === getId()).
     *
     * However, you do not need to compare every attribute, but only those that
     * are relevant for assessing whether re-authentication is required.
     *
     * @param UserInterface $user
     * @return Boolean
     */
    function equals(UserInterface $user);
}

How should I implement this ("those relevant for assessing whether re-authentication is required")? So does this mean its after Symfony 2 reauthenticated (username/password) the user? Or is this function user to reauthenticated. Do I check id, username, password, salt maybe? Doesn't Symfony reauthenticate the user by password check, which should be enough?

like image 493
Jiew Meng Avatar asked Jun 05 '26 17:06

Jiew Meng

1 Answers

If equals() returns false the user will be forced to reathenticate. What exactly do you check is up to you, because it differs from one app to another. Generally, you need to compare everything from what can change about a user that affects security of your app.

For example, if email and password are used for authentication in your app, you need to compare them. On the contrary, comparing first name and last name fields doesn't make sense, since they don't affect anything related to authentication in your app — unless, of course, your app authentication is somehow based on them.

If you support different roles in your app — for example, admin and normal user — and your app provides a way of assigning and reassigning those roles to users, you need to compare roles too. Because if you want to demote a user from admin to normal user, you want that change to take effect as soon as possible — on the user's next request — without explicitly asking the user to logout and relogin. If you don't compare roles in this case, the user will stay an admin untill her session expires.

Checking ID doesn't make sense unless your app provides a way to change user's IDs and they are used for authentication purposes in your app. And I wouldn't check salt too, because if it's changed that also means that password is changed too, so checking for password alone would suffice.

like image 192
Elnur Abdurrakhimov Avatar answered Jun 10 '26 17:06

Elnur Abdurrakhimov
Sign in to Comment

Related questions

Is there a python http-client which automatically performs authentication for several auth types?
Devise - login from two model
Creating a login with AWS cognito and javascript
Login using Http Post android given custom api
Detect that OS X app was launched as login item?
How to keep Auth-Cookie and (ASP.NET) Session in sync?
How to validate an OAuth2 access token (JWT) without accessing the auth server
How do I get an GitHub app installation token to authenticate cloning a repository
ASP.NET: Authenticating user in code
At what time User.Identity.IsAuthenticated set to true
How to combine security with the gateway? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!