diff --git a/cookbook/security/impersonating_user.rst b/cookbook/security/impersonating_user.rst index edd9f035383..23706b9bfef 100644 --- a/cookbook/security/impersonating_user.rst +++ b/cookbook/security/impersonating_user.rst @@ -6,8 +6,17 @@ How to Impersonate a User Sometimes, it's useful to be able to switch from one user to another without having to log out and log in again (for instance when you are debugging or trying -to understand a bug a user sees that you can't reproduce). This can be easily -done by activating the ``switch_user`` firewall listener: +to understand a bug a user sees that you can't reproduce). + +.. caution:: + + User impersonation is not compatible with + :doc:`pre Authenticated firewalls`. The + reason is that impersonation requires the authentication state to be maintained + server-side but pre-authenticated information (``SSL_CLIENT_S_DN_Email``, + ``REMOTE_USER`` or other) is sent in each request. + +This can be easily done by activating the ``switch_user`` firewall listener: .. configuration-block:: diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 2d8e6202528..032c55a55c8 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -11,6 +11,14 @@ box, Symfony supports most authentication mechanisms. These requests are called *pre authenticated* requests because the user is already authenticated when reaching your application. +.. caution:: + + :doc:`User impersonation ` is not + compatible with pre-authenticated firewalls. The reason is that + impersonation requires the authentication state to be maintained server-side + but pre-authenticated information (``SSL_CLIENT_S_DN_Email``, ``REMOTE_USER`` + or other) is sent in each request. + X.509 Client Certificate Authentication --------------------------------------- @@ -152,9 +160,3 @@ key in the ``remote_user`` firewall configuration. See :ref:`the previous note ` for more information. -.. caution:: - - :doc:`User impersonation ` is not - compatible with ``REMOTE_USER`` based authentication. The reason is that - impersonation requires the authentication state to be maintained server-side - but ``REMOTE_USER`` information is sent by the browser in each request.