New in Symfony 5.3: Improvements for Security Users
Renamed User to InMemoryUser¶
In Symfony applications, the memory user provider allows to create users
(and define their credentials) in a configuration file which is loaded in memory,
without using databases or any other persisting service.
Although this user provider is only for prototypes or very small/special
applications, it’s based on a class called User (the entire namespace is
SymfonyComponentSecurityCoreUserUser). This confuses some newcomers,
who think this is the main User class in Symfony security.
That’s why in Symfony 5.3 we’ve renamed User to InMemoryUser and
UserChecker to InMemoryUserChecker to better convey their purpose
(in 5.3 the old names still work but they are deprecated and in Symfony 6.0
they will be removed):
– SymfonyComponentSecurityCoreUserUser: bcrypt
+ SymfonyComponentSecurityCoreUserInMemoryUser: bcrypt
Renamed username to identifier¶
Another source of confusion related to users is the concept of “username” which
is used in the Symfony security. In many applications this username is not a
traditional username, but an email or even some API token.
That’s why in Symfony 5.3 we’ve decided to avoid this confusion and we’ve
renamed “username” to “user identifier”. This might require some changes in
your application code (in 5.3 the old names still work but they are deprecated
and in Symfony 6.0 they will be removed):
UserInterface::getUsername() is now UserInterface::getUserIdentifier()
loadUserByUsername() is now loadUserByUserIdentifier(), both in user
loaders and user providers
UsernameNotFoundException is now UserNotFoundException
Decoupled Passwords from Users¶
The SymfonyComponentSecurityCoreUserUserInterface is implemented by all
the security users in Symfony applications. Sadly, this interface is a product
of its time and it contains some methods that are no longer used in modern applications.
The first unneeded method is getSalt(), which is no longer necessary when
using modern password hashing algorithms (bcrypt, Argon2, etc.) This method has
been moved to a new LegacyPasswordAuthenticatedUserInterface.
The other method is getPassword() which is no longer needed in many
password-less features, such as login links. This method has been moved to a
In Symfony 5.3, UserInterface still contains the getPassword() and
getSalt() methods (they will be removed in Symfony 6.0). However, when
upgrading to Symfony 5.3, you need to implement the new interfaces if you use