I'm building a application with Symfony 2.6.5. I have built my own User Provider following this and this.
My User class implements AdvancedUserInterface and EquatableInterface. isEqualTo returns false if either password, username or isEnabled has changed. I serialize id, username, password, isEnabled and a few custom properties.
It all works pretty good. Except for the following:
I can login (without RememberMe), everything looks good. I've verified that refreshUser() in my user provider is called on every request as is isEqual() in user.
If I directly change the username in the database and hit refresh, I'm not logged out. My view displays the user name and that changes to the new value from the database. Likewise I am not logged out if I manually change the password hash in the database. I have verified that isEqualTo() returns false and $this->setAuthenticated(false) happens in AbstractToken.
It does logout on the next refresh if I change isEnabled to false.
Either I'm doing something wrong, the documentation here is wrong, I'm misinterpreting it or there is a bug in Symfony.
It's not a big deal. The fact that isEnabled gives me a way to log someone out is good but I'd like to understand this better.
Thanks
EDIT: I just discovered that I'm not the only one seeing this.
https://github.com/symfony/symfony/issues/13870
I probably should have looked there first.
