Symfony4, log out the user if the IP has changed

Question

I want to log out the user if the IP has changed.

I managed to make it by creating a field lastLoginIp in the Users table, setting it in the onAuthenticationSuccess, and then checking in the User::isEqualTo() method:

if($user->getLastLoginIp() !== Utils::getIp()) {
    return false;
}

The problem is that it broke impersonation, because of course the IP of the admin is different than the IP of the user.

How can this be implemented? (and the user must not get logged out if somebody impersonates him)

@ArleighHix in my application the admins and the "account managers" can impersonate the regular users, using the Symfony impersonation feature (https://symfony.com/doc/current/security/impersonating_user.html — the_nuts, Sep 22 '19 at 16:44

score 0 · Answer 1 · answered Sep 16 '19 at 12:36

0

Why not skip ip check if is granted ROLE_PREVIOUS_ADMIN?

    if ($this->security->isGranted('ROLE_PREVIOUS_ADMIN')) {
        return true;
    }

answered Sep 16 '19 at 12:36

Harold

669
1
7
31

`isEqualTo()` is in the User class, which is a standard Entity, there isn't any security service (should I inject it?) – the_nuts Sep 22 '19 at 16:46
no just check `$this->hasRole('ROLE_PREVIOUS_ADMIN')` in User entity – Harold Sep 23 '19 at 18:03

Symfony4, log out the user if the IP has changed

1 Answers1