Impersonate an user when using REMOTE_USER

[bertoost]

When switching user when you're using the REMOTE_USER setup, it will switch you back every time within a couple of seconds. It's not possible to swich user this way.

Tried to overwrite the security token etc. but that also ends in the same result.

The "impersonated" user does get an updated last login time (FOSUserBundle) in both situations, but the REMOTE_USER is still leading and I am still myself :-)

Anyone facing this issue?
Would be great to use Symfony's switch feature.

[stof]

REMOTE_USER is meant to be a stateless auth model. The browser sends the auth with each request.
So when switching user, the next request is again authenticating with the original user, leading to the behavior you see.
The impersonation feature of Symfony requires that the authentication state is maintained server-side. For stateless auth systems where the client maintains this state, it cannot work, as you would have to impersonate client-side (which is where the state is)

[stof]

I think this should be considered as a documentation issue, which should explain the limitations of the feature

[javiereguiluz]

I agree with @stof. I've proposed adding a note about this in the docs: symfony/symfony-docs#6423

Therefore, I'm closing this issue as "fixed". Thanks!

[bertoost]

Makes sense. I need to find another solution to fix this. It's important to impersonate in our REMOTE_USER based application :-)

[amylashley]

@bertoost did you ever find a solution? We're facing a similar issue.

[bertoost]

Tried different things with sessions and listeners but no luck.. we disabled this admin feature in our application:-(