diff --git a/security/custom_authenticator.rst b/security/custom_authenticator.rst
index 4178e254904..7d0ea155df3 100644
--- a/security/custom_authenticator.rst
+++ b/security/custom_authenticator.rst
@@ -205,6 +205,11 @@ using :ref:`the user provider <security-user-providers>`::
     // ...
     $passport = new Passport(new UserBadge($email), $credentials);
 
+.. note::
+
+    The maximum length allowed for the user identifier is 4096 characters to
+    prevent `session storage flooding`_ attacks.
+
 .. note::
 
     You can optionally pass a user loader as second argument to the
@@ -373,3 +378,5 @@ authenticator methods (e.g. ``createToken()``)::
             return new CustomOauthToken($passport->getUser(), $passport->getAttribute('scope'));
         }
     }
+
+.. _`session storage flooding`: https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session