While implementing shopping cart functionality at OpenSky, one of our developers was encountering the following PHP error during unserialization of the User-bearing Token object:
Notice: serialize(): "sku" returned as member variable from __sleep() but does not exist in /projects/opensky/src/vendor/symfony/src/Symfony/Component/Security/Core/Authentication/Token/Token.php on line 198 "Sku" is a property several reference levels down from our User model, which Token contains. I've previously only seen such errors when serialized objects in my session no longer matched the class structure in my code, but that was not the case for the above. In any event, our working solution involved implementing __sleep() on our User model to ensure only the $username property gets serialized. ContextListener supports refreshing database users on each request, using UserProviderInterface::loadUserByAccount(). For FOS/UserBundle, the UserProvider implementation relies on AccountInterface::getUsername(). Other projects might prefer to fetch by something like the database ID, although a getId() call might violate the AccountInterface contract. In addition to avoiding the PHP error, this seems to significantly reduce data in the session. The gains are obviously more noticeable if your User model contains references to other models (e.g. Cart, which references Products, etc), as that can start a large chain of serialize calls across many objects. -- jeremy mikola -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
