⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

Deprecate SessionAuthenticator identify option #763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dereuromark wants to merge 1 commit into
base: 3.x
Choose a base branch
from
Open

Deprecate SessionAuthenticator identify option #763

dereuromark wants to merge 1 commit into from
+77 −48

Conversation

@dereuromark
Copy link
Member

@dereuromark dereuromark commented Jan 13, 2026

Summary

  • Deprecate the identify option in SessionAuthenticator
  • Simplify the Quick Start example to not pass unnecessary identifier to SessionAuthenticator

Why deprecate identify?

The identify option only verifies that the username exists in the database - it does not verify passwords as the documentation previously suggested.

When identify => true:

  • The default fields config only includes username, so only the username is passed to the identifier
  • The PasswordIdentifier::identify() method skips password verification when no password credential is provided
  • Even if you add password to fields, it fails because sessions store hashed passwords, but password_verify(hash, hash) doesn't work

This makes the option ineffective for:

  • Detecting password changes
  • Remotely invalidating sessions when passwords are updated

Users should use PrimaryKeySessionAuthenticator instead if they need to fetch fresh user data from the database on each request.

Quick Start example improvement

The SessionAuthenticator doesn't need an identifier by default - it just uses session data directly as identity. The example was unnecessarily passing $passwordIdentifier to it.

@dereuromark dereuromark force-pushed the fix/deprecate-session-identify branch from d12e07a to 888e8a7 Compare January 13, 2026 17:22
@dereuromark
Deprecate SessionAuthenticator identify option
ad2c520 
The `identify` option only verifies that the username exists in the
database, it does not verify passwords as the documentation previously
suggested. This makes it ineffective for the use case of detecting
password changes or remotely invalidating sessions.

Users should use `PrimaryKeySessionAuthenticator` instead if they need
to fetch fresh user data from the database on each request.

Also updated the Quick Start guide to clarify that SessionAuthenticator
does not need an identifier - it uses session data directly as identity.
@dereuromark dereuromark force-pushed the fix/deprecate-session-identify branch from 888e8a7 to ad2c520 Compare January 13, 2026 17:37
@ADmad ADmad requested a review from markstory January 13, 2026 17:43
@dereuromark dereuromark added this to the 3.x milestone Jan 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markstory markstory Awaiting requested review from markstory

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.x

Development

Successfully merging this pull request may close these issues.

2 participants

@dereuromark