#494 Implements Serializable interface in the User entity

[apetitpa]

As discussed in #494, implements the Serializable interface in the User entity.

[javiereguiluz]

Is adding the password here a recommended practice (from the security point of view)?

[apetitpa]

I used the example from the documentation http://symfony.com/doc/current/security/entity_provider.html#create-your-user-entity

[apetitpa]

Quoted from http://symfony.com/doc/current/security/entity_provider.html#understanding-serialize-and-how-a-user-is-saved-in-the-session

First, the Serializable interface and its serialize() and unserialize() methods have been added to allow the User class to be serialized to the session. This may or may not be needed depending on your setup, but it's probably a good idea. In theory, only the id needs to be serialized, because the refreshUser() method refreshes the user on each request by using the id (as explained above). This gives us a "fresh" User object.

But Symfony also uses the username, salt, and password to verify that the User has not changed between requests (it also calls your AdvancedUserInterface methods if you implement it). Failing to serialize these may cause you to be logged out on each request.

[javiereguiluz]

This explanation is not very good 😕 Saying "maybe you need this ... maybe you don't" without explaining anything else doesn't look good. And then, saying "you can serialize just "id" if you want ... but maybe it doesn't work because Symfony wants more" is also confusing.

As usual, this is caused by the massive internal complexity of the security component ... so I don't know what can we do about this.

[apetitpa]

I have to agree with you, it's quite unclear. I don't know what to do either maybe someone could enlight us on this particular topic ?

[apetitpa]

@javiereguiluz What about this PR ?

[javiereguiluz]

@apetitpa I've finally merged this because it's exactly the same as the Symfony Docs, so let's apply our own best practices here. Thanks!