I'm working on a web app where the authentication will be done outside of php for each individual request. I was planning not to use the session at all but the security component is making use of it.
Moreover the user object is not a Doctrine entity itself, but it has one property that is an entity. This is causing issues because when the user is deserialized from the session the value of that property is a detached proxy, making it unusable.
I'd be happy if the framework would just call my user provider for every request, without ever using the session at all (it would also allow me to stop worrying about session hijacking), but from the documentation there doesn't seem to be such an option.
If that is not possible, is it feasible to reattach the proxy entity on deserialization? The user class serialize method is not useful because the entity manager is not available in there. Is there an event I can subscribe/listen to?
P.S. I am using the bundle authorization features, and I'd hate to have to disable the whole bundle.
Yes, you can disable session.
Under your firewalls option in security.yaml for your Security Component configuration, you can add stateless: true for firewall you need stateless.
More about that here: https://symfony.com/doc/4.4/security/guard_authentication.html
You can disable session completely adding this to framework.yaml
# config/packages/framework.yaml
session:
enabled: false
More about sessions here: https://symfony.com/doc/current/session.html#configuration
If you deserialize User object and get that detached proxy class, can you try and $entityManager->refresh($object) it in your UserProvider - which should be a service? Or even try to fetch again, assuming you have its ID?