Unset Password from getIdentity()

Need Help
1

How to replicate:

After $result->isValid()

$currentSession = $this->Authentication->getIdentity();
pr($currentSession);

It shows :

Authentication\Identity Object
(
    [config] => Array
        (
            [fieldMap] => Array
                (
                    [id] => id
                )

        )

    [data] => App\Model\Entity\User Object
        (
            [id] => 1
            [email] => test@example.com
            [password] => $2y$10$lJmWmCJuneg9O3AD2KsfI.qER7UQEBJn1ihnHA4pyKdUmX3TrCFUO
            [activeToken] => 83s6f9e1d6a8d1f85d2f4d9a3as1c8
            [token] => 56asd546a8s5d484fd156dsf98f56ew12
            [[new]] => 
            [[accessible]] => Array
                (
                    [username] => 1
                    [profiles] => 1
                )

            [[dirty]] => Array
                (
                )

            [[original]] => Array
                (
                )

            [[virtual]] => Array
                (
                )

            [[hasErrors]] => 
            [[errors]] => Array
                (
                )

            [[invalid]] => Array
                (
                )

            [[repository]] => Users
        )

)

In User.php I have:

protected $_hidden = [
    'password',
    'activeToken',
    'token'
];

Question
Is there a way I can remove “Password” from [data] ?

2

The password will be shown until you call like $user->toArray() or is converted to json.

pr, debug functions will show it

3

But it will still be in the session memory.
Our code was security audited and the only thing they could find is… in the event of a memory-leak, the password hash must not be shown anywhere. ¯_(ツ)_/¯
So …
How do I change the authentication to remove it?

4

Guess there isn’t a functionality to do … yet.
I have opened an RFC Ability to remove fields from getIdentity() · Issue #465 · cakephp/authentication · GitHub
let’s see if it is worth the shot.

5

The Authentication plugin provides a way to specify your own Identity class. So you could extend the current Identity and make the new constructor remove the password.

https://book.cakephp.org/authentication/2/en/identity-object.html#creating-your-own-identity-object