Symfony version(s) affected

6.4.15

Description

The ContextListener in Symfony uses the native PHP serializer, which does not respect the #Ignore attribute on user object fields. This results in the entire user object, including sensitive fields, being serialized into the session.

How to reproduce

Just put a breakpoint at line 172 and see $token variable on inspector.

https://github.com/symfony/security-http/blob/7.2/Firewall/ContextListener.php#L172

Possible Solution

The session storage should respect the #Ignore attribute to avoid serializing unnecessary or sensitive fields.

Additional Context

No response