From 4d29c99c2006a80d40d6d942a29f8afa00d67980 Mon Sep 17 00:00:00 2001
From: Artyum <artyum@protonmail.com>
Date: Thu, 4 Nov 2021 20:52:02 +0400
Subject: [PATCH] [Security] Added a note regarding the loginUser() method

---
 testing.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/testing.rst b/testing.rst
index f130dfbb06f..a4d48938779 100644
--- a/testing.rst
+++ b/testing.rst
@@ -625,6 +625,11 @@ You can pass any
 :class:`Symfony\\Bundle\\FrameworkBundle\\Test\\TestBrowserToken` object and
 stores in the session of the test client.
 
+.. note::
+
+    Stateless firewalls cannot use ``loginUser()`` prior to requests by design.
+    Instead you should add the correct token (i.e. header) in each ``request()`` call.
+
 Making AJAX Requests
 ....................