On 04.12.2010, at 13:21, Henrik Bjornskov wrote: > I have found little annoyance while working with the Security > Component. Login / Logout and the providers work like a charm BUT the > token which contains the user found by a provider gets serialized in > the session. This means that every time the currently logged in user > edits his/hers profile they should logout and then log back in. > > Is there a reason why the user is not fetched on every request so the > data for the user is fresh and to check that the currently logged in > user still exists. A user could in theory get deleted by the site > owner while being logged in. > > If the user was retrieved on every request it would also make working > with Facebook users a little easier since they would call $facebook- >> getSession() when loading the user and if the user have removed their > trust to the app it would automatically be invalid.
Well this is really a cache invalidation topic and that means there are many different approaches: - no caching is what you are proposing here - marking things stale, aka on very request it would check if the user data is marked as stale and then update - purging on change, this would require that sessions are somewhere associated with user id's so that if there are changes to the user that the session data could be modified accordingly - ttl, aka in regular intervals the user would be fetched again regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
