On 21.04.2011, at 16:51, Jeremy Mikola wrote: > I'd once again suggest loadByUserId(). In the past, I know we discussed terms > like loadByPrincipal() (a term popular in Spring). The comment earlier that > the cookie-only remember-me implementation uses the username as the > identifier revived the problem for me. > > I think across the majority of projects, usernames may never change. But > across an even greater majority, user ID's never change. > > Afaik, Spring uses a two-query process for logging in. It resolves the user's > login identifier (be it a username or email) to his principal (ID). The user > record is then loaded by that ID to obtain the credentials (e.g. hashed > password, salt) for password comparison. That system seems far more robust > for handling any given probject, and I don't feel it'd add significant > complexity to the developer (vs. its benefits in flexibility and separating > concerns).
during the last meeting Jeremy said he would discuss this topic with Johannes bilaterally some more .. has there been any progress? regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
