You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the application uses Laravel's authentication that comes out of the box and the user logs out, the session is not flushed. Instead, a new session is created alongside the old one.
When regenerate is called right after flush, the old session isn't actually flushed. This renders the regenerate part useless and poses a threat for session fixation exploit.
Steps To Reproduce:
Using default Laravel Authentication, create a new user
Once user is logged in, copy the session cookie value
Log out
Replace the session value with the one copied in step 2 (using Chrome Dev Tools or something similar)
You are logged in again
The text was updated successfully, but these errors were encountered:
Description:
If the application uses Laravel's authentication that comes out of the box and the user logs out, the session is not flushed. Instead, a new session is created alongside the old one.
I believe this part causes the issue:
framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php
Lines 158 to 160 in a513aaa
When
regenerateis called right afterflush, the old session isn't actually flushed. This renders theregeneratepart useless and poses a threat for session fixation exploit.Steps To Reproduce:
Using default Laravel Authentication, create a new user
Once user is logged in, copy the session cookie value
Log out
Replace the session value with the one copied in step 2 (using Chrome Dev Tools or something similar)
You are logged in again
The text was updated successfully, but these errors were encountered: