Framework: [5.4] Illuminate/Session/Middleware/AuthenticateSession.php breaks remember me functionality

Created on 6 Apr 2017  路  14Comments  路  Source: laravel/framework
  • Laravel Version: latest 5.4.18
  • PHP Version: 7
  • Database Driver & Version:

Description:

Including the commented
\Illuminate\Session\Middleware\AuthenticateSession::class in the
'web'-middleware-group breaks the remember me functionality from make:auth-implementation.

Steps To Reproduce:

Use laravel's make:auth with a proper database configured in .env file.
Include the commented
\Illuminate\Session\Middleware\AuthenticateSession::class,
in
app/Http/Kernel.php into $middlewareGroups-'web' -section.

Set session lifetime to 1 minute in config/session.php and
log in with remember me checkbox checked, and wait over 1 minute.
Refresh the page.
Results :
Without the AuthenticateSession-middleware home-page reloads normally and user is still signed in.
With the middleware however, the user will be kicked back to login page and is no longer signed in, even when going to homepage -url manually.

Shouldn't the remember me token still make sure that the user is signed in? The AuthenticateSession-middleware merely checks if the session-hash-password is the same as user-hash-password, and kicks out if user-hash-password has changed while still logged in.

picture anhvun

Most helpful comment

@elasticsteve this issue is not closed.

picture Riari on 15 Feb 2018
👍3

All 14 comments

5.3 is no longer supported. You need to check if bug still exists in 5.4

Dylan-DPC picture Dylan-DPC on 11 Apr 2017
👍1

Referencing https://laracasts.com/discuss/channels/laravel/authenticatesession-middleware
Will test it with Laravel 5.4 then

anhvun picture anhvun on 13 Apr 2017

Tested with latest 5.4. Same problem.

anhvun picture anhvun on 14 Apr 2017

Having the same issue on 5.4.

pix2D picture pix2D on 27 May 2017

+1 here. It looks like the "password_hash" session keys is not set during login process, resulting to logout the current user (Line 51 in AuthenticateSession Middleware). So do we need to manually set the "password_hash" value into the session ?

antoine1302 picture antoine1302 on 28 May 2017

I also seem to be suffering with this problem 馃憤 Not sure of a way to get around it at the moment. Anyone have any temporary fixes?

Azirius picture Azirius on 12 Jun 2017

Same issue.

aocneanu picture aocneanu on 17 Jun 2017

Same here on latest 5.4.

RamiJabr picture RamiJabr on 19 Jul 2017

19843 related?

devcircus picture devcircus on 19 Jul 2017

In the other threat you've closed it, pointing to this one, and in this threat you closed it, pointing to the other one! This is going in circles! Where is the fix?

update: I see it's the other one that is closed, not this one. :)

elastisteve picture elastisteve on 15 Feb 2018

@elasticsteve this issue is not closed.

Riari picture Riari on 15 Feb 2018
👍3

+1, is this issue fixed in later laravel versions?

DanielDarrenJones picture DanielDarrenJones on 2 Mar 2018

I've tested this in Laravel 5.5.28 and it seems to work just fine for me. I'm not sure when this was fixed or how, but I cannot reproduce the problem.

barryvanveen picture barryvanveen on 7 Mar 2018

https://github.com/laravel/framework/issues/16311

pedrofurtado picture pedrofurtado on 14 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

PhiloNL picture PhiloNL  路  3Comments
felixsanz picture felixsanz  路  3Comments
fideloper picture fideloper  路  3Comments
Anahkiasen picture Anahkiasen  路  3Comments
kerbylav picture kerbylav  路  3Comments