From a8eba803a35994628387678d6d3890f0f4f2bc56 Mon Sep 17 00:00:00 2001
From: Robin Chalas <robin.chalas@elao.com>
Date: Sat, 15 Dec 2018 11:27:20 +0100
Subject: [PATCH] [Security] Prefer clone over unserialize(serialize()) for
 user refreshment

---
 .../Component/Security/Http/Firewall/ContextListener.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
index cdaebbca7589..fb279791f8f3 100644
--- a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -170,7 +170,7 @@ protected function refreshUser(TokenInterface $token)
 
             try {
                 $refreshedUser = $provider->refreshUser($user);
-                $newToken = unserialize(serialize($token));
+                $newToken = clone $token;
                 $newToken->setUser($refreshedUser);
 
                 // tokens can be deauthenticated if the user has been changed.