Skip to content

[Security] Stop recommending to lowercase email addresses #21080

Closed
@ThomasLandauer

Description

@ThomasLandauer
Contributor

I'm questioning the entire section at https://symfony.com/doc/current/security/custom_authenticator.html#user-identifier, starting with:

It's a good practice to normalize the user identifier before using it.

@Spomky and @javiereguiluz you were the last ones who edited it.

Right now, this sounds like a recommendation to lowercase all email addresses. But this is no good advice IMO, since email addresses are case-sensitive, see https://stackoverflow.com/a/9808332/1668200

Besides, I cannot see the point of bringing up the gmail example. This creates the impression that even removing dots is the way to go ("If Google does it, then probably everybody else is doing it..."). However, we're in the context of using email addresses as usernames, and here gmail is just one provider, among millions of others.
So, frankly, I don't care what gmail is doing. And they might even change it tomorrow...

So I'm suggesting to reduce all this to just a short note - something like:

You can pass a custom normalizer (e.g. to lowercase the username).

Since everybody needs to decide for themselves what's best in their use case.

I didn't come up with a PR right away, since (more or less) deleting everything you just added, might look a bit harsh ;-)

Activity

Spomky

Spomky commented on Jun 13, 2025

@Spomky
Contributor

Hi @ThomasLandauer,

Thanks a lot for your feedback.

Indeed, the section you referenced is meant to address user identifiers in general, not email addresses specifically.
The recommendation to normalize is about ensuring consistent comparisons during authentication, in particuar because identifiers come from user input.
You're also right about the Gmail example it should be removed to avoid confusion and unintended assumptions.
The john.doe@acme.com examples could be removed too for the same reason.

wouterj

wouterj commented on Jun 13, 2025

@wouterj
Member

I agree, we can probably simplify the section, only leaving something like this:

It's a good practice to normalize the user identifier before using it. This ensures that variations like "john.doe", "John.Doe", or "JOHN.DOE" are treated as the same user. In Symfony applications, you can optionally pass a user identifier normalizer as the third argument to the UserBadge. This callable receives the $userIdentifier and must return a normalized string.

added a commit that references this issue on Jun 17, 2025

minor #21088 [Security] : Removing recommendations to lowercase email…

added
hasPRA Pull Request has already been submitted for this issue.
on Jun 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    SecurityhasPRA Pull Request has already been submitted for this issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Participants

      @wouterj@ThomasLandauer@Spomky@xabbuh@carsonbot

      Issue actions

        [Security] Stop recommending to lowercase email addresses · Issue #21080 · symfony/symfony-docs