minor #16858 [Security] Enforce maximum username length (javiereguiluz)

javiereguiluz · javiereguiluz · commit 55fe8c9347ac · 2022-06-10T13:42:25.000+02:00
This PR was squashed before being merged into the 6.2 branch. Discussion ---------- [Security] Enforce maximum username length Fixes #16856. Commits ------- 0e14ecf [Security] Enforce maximum username length
diff --git a/security/custom_authenticator.rst b/security/custom_authenticator.rst
@@ -205,6 +205,11 @@ using :ref:`the user provider <security-user-providers>`::
     // ...
     $passport = new Passport(new UserBadge($email), $credentials);
 
+.. note::
+
+    The maximum length allowed for the user identifier is 4096 characters to
+    prevent `session storage flooding`_ attacks.
+
 .. note::
 
     You can optionally pass a user loader as second argument to the
@@ -373,3 +378,5 @@ authenticator methods (e.g. ``createToken()``)::
             return new CustomOauthToken($passport->getUser(), $passport->getAttribute('scope'));
         }
     }
+
+.. _`session storage flooding`: https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
