Yesterday my project moved from 4.3.4 to 4.4.3 and I got a problem.

I have a piece of code that allows to login as other user without sign out. So admin can login with ROLE_ADMIN first and then login as user and have roles: ROLE_ADMIN, ROLE_OWNER, ROLE_USER. In result admin will have permissions of admin and user. He can view admin and user pages at the same time.

Listing:

public function loginAsClient(TokenStorageInterface $tokenStorage, User $user)
{
    $user->setRoles(array_unique(array_merge($this->getUser()->getRoles(), $user->getRoles())));

    $token = new UsernamePasswordToken($user, null,  'main', $user->getRoles());
    $tokenStorage->setToken($token);

    $this->get('session')->set('_security_main', serialize($token));
    $this->get('session')->save();

    return $this->redirectToRoute('dashboard_index');
}

And everything worked until I did upgrade. Now nothing happens after this action. Just redirection without saving of new roles in a session.

Also, I notices that if do not merge roles, and give just user roles(without ROLE_ADMIN) authentication will work, but now admin will lost admin permissions and logout will be required.

Has something changed in the new security version or is this type of manual login is deprecated?