Framework: AuthenticateSession doesn't refresh password_hash after re-login

Created on 9 Mar 2018  路  3Comments  路  Source: laravel/framework

Laravel Version: 5.5
PHP Version: 7.0
Database Driver & Version: MySQL 5.7

Description:
When we logout a user, the password_hash in session doesn't be deleted. So If we login a different user with the old password_hash it doesn't work. And if we login the same user it will be successful.

And when you create a user account ,Auth::login($user) can't work

We use the middleware in this way. You can download our project for demo.

https://github.com/laravel/framework/pull/16323

picture wangdehu

Most helpful comment

if I use session()->flush(); after use Auth::logout(); , it work well.

picture wangdehu on 11 Mar 2018
🎉2 👍2

All 3 comments

When we logout a user, the password_hash in session doesn't be deleted.

This is correct. Laravel does not know when a user is logged out since they can just close down the browser without any notification to Laravel.

I think you're misunderstanding what the password_hash does. It's there to make sure that sessions are invalidated when users change their passwords. All _my_ sessions are invalidated when I change _my_ password. There's nothing shared between different users.

Could you clarify on the actual problem/scenario you have?

sisve picture sisve on 11 Mar 2018

I use Auth::logout() to logout. The password_hash should be deleted.
And it take bad effect to another different user. he must login twice.
My idea is when use Auth::logout() ,clear password_hash.

wangdehu picture wangdehu on 11 Mar 2018

if I use session()->flush(); after use Auth::logout(); , it work well.

wangdehu picture wangdehu on 11 Mar 2018
🎉2 👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Fuzzyma picture Fuzzyma  路  3Comments
RomainSauvaire picture RomainSauvaire  路  3Comments
lzp819739483 picture lzp819739483  路  3Comments
felixsanz picture felixsanz  路  3Comments
progmars picture progmars  路  3Comments