Framework: Can't login after logging out by other user

Created on 8 Jan 2019  路  5Comments  路  Source: laravel/framework
  • Laravel Version: 5.6.39
  • PHP Version: 7.2
  • Database Driver & Version: Mysql 5.7.24

Description:

Lets assume we are using session driver for you auth guard, we have two users user 1 and user 2. If you have logged in by user 1 and then logged out, you won't be able to log in from same device (without clearing session cookie) at once, you will only be able to do that after second try.

Steps To Reproduce:

  1. Set auth guard driver to session
  2. Log in by user 1
  3. Log out
  4. Try to log in by user 2

Reason

When you are using session driver, after logging in password_hash key will be added to current, which will have hashed value of current user's password (from DB), as per https://github.com/laravel/framework/issues/16311.

But after logging out that item won't be removed from session, so when you are trying to login by another user, the new user's id will be putted in session and when after it \Illuminate\Session\Middleware\AuthenticateSession middleware will be called, after some if-else chain, user will be logged out cause password_hash attribute will not match current user's (user 2) hashed password.

After logging out user, given middleware will flush the session, after which you will be able to log in (from a second try).

Solution

Remove password_hash attribute from session after logout

picture ninoman

Most helpful comment

I encountered something similar, and debugging, I found out that the password_hash remained on the session after logout.

To fix this, I manually remove the password_hash on logout.
Session::remove('password_hash');

It's not super fancy, but it's something

picture juampi92 on 29 Jul 2019
👍2

All 5 comments

Just installed a fresh 5.6.39 skeleton and this is working fine. Is there any more info you can give? Can you reproduce this behavior on a fresh 5.6.39 version?

Maybe best to first check Laravel's Discord, Laracasts, Laravel.io or Larachat slack.

devcircus picture devcircus on 8 Jan 2019

Have you enabled \Illuminate\Session\Middleware\AuthenticateSession middleware?

I guess it is commented by default.

ninoman picture ninoman on 8 Jan 2019
👍1

Heya, unfortunately we don't support this version anymore. Please check out our support policy on which versions we are currently supporting. Can you please try to upgrade to the latest version and see if your problem persists? If so feel free to reply and we'll try to have a look.

driesvints picture driesvints on 9 Jan 2019

I encountered something similar, and debugging, I found out that the password_hash remained on the session after logout.

To fix this, I manually remove the password_hash on logout.
Session::remove('password_hash');

It's not super fancy, but it's something

juampi92 picture juampi92 on 29 Jul 2019
👍2

Hello. I can confirm this is still an existing issue in 5.7.28 as of 28-aug-2017, just under the wire for security fixes, according to the support policy :) Only if the AuthenticateSession middleware is active (uncommented), log in as user 1, log out, log in as user 2, get the authentication exception thrown. Similar to @juampi92 , my attempted fix was to use Session::flush() in the auth login controller logout action, which seemed to fix things. I'm going to try their more surgical solution, too, just to give it a whirl, but will probably simply comment AuthenticateSession back out... But I'm glad I'm not the only one who was encountering this situation

phillipsharring picture phillipsharring on 29 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Fuzzyma picture Fuzzyma  路  3Comments
fideloper picture fideloper  路  3Comments
klimentLambevski picture klimentLambevski  路  3Comments
PhiloNL picture PhiloNL  路  3Comments
felixsanz picture felixsanz  路  3Comments