{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 手持菜刀,她持情操 的问题《Symfony 2 UserInterface::equals($user): Comparing》','https://www.manongdao.com/q-1216509.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
From the UserInterface class
interface UserInterface {
/**
* The equality comparison should neither be done by referential equality
* nor by comparing identities (i.e. getId() === getId()).
*
* However, you do not need to compare every attribute, but only those that
* are relevant for assessing whether re-authentication is required.
*
* @param UserInterface $user
* @return Boolean
*/
function equals(UserInterface $user);
}
How should I implement this ("those relevant for assessing whether re-authentication is required")? So does this mean its after Symfony 2 reauthenticated (username/password) the user? Or is this function user to reauthenticated. Do I check id, username, password, salt maybe? Doesn't Symfony reauthenticate the user by password check, which should be enough?
Update:
Now, the equal function was removed from the UserInterface and added to a new interface: EquatableInterface and the function name changed to isEqualTo.
So if you want to change the logic that forces the a connected user to disconnect, your User class needs to implement the EquatableInterface interface function isEqualTo.
Be careful: if you do that, you will lose the standard user check that checks for modified password, modified username,...
If
equals()returnsfalsethe user will be forced to reathenticate. What exactly do you check is up to you, because it differs from one app to another. Generally, you need to compare everything from what can change about a user that affects security of your app.For example, if email and password are used for authentication in your app, you need to compare them. On the contrary, comparing first name and last name fields doesn't make sense, since they don't affect anything related to authentication in your app — unless, of course, your app authentication is somehow based on them.
If you support different roles in your app — for example, admin and normal user — and your app provides a way of assigning and reassigning those roles to users, you need to compare roles too. Because if you want to demote a user from admin to normal user, you want that change to take effect as soon as possible — on the user's next request — without explicitly asking the user to logout and relogin. If you don't compare roles in this case, the user will stay an admin untill her session expires.
Checking ID doesn't make sense unless your app provides a way to change user's IDs and they are used for authentication purposes in your app. And I wouldn't check salt too, because if it's changed that also means that password is changed too, so checking for password alone would suffice.