Skip to content

Session not flushed when logging out #20100

New issue
New issue
Closed
Closed
Session not flushed when logging out#20100
@errb

Description

@errb
errb
opened on Jul 17, 2017
  • Laravel Version: 5.4.22
  • PHP Version: 7.0.9
  • Database Driver & Version: sqlite

Description:

If the application uses Laravel's authentication that comes out of the box and the user logs out, the session is not flushed. Instead, a new session is created alongside the old one.

I believe this part causes the issue:

framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php

Lines 158 to 160 in a513aaa

$request->session()->flush();
$request->session()->regenerate();

When regenerate is called right after flush, the old session isn't actually flushed. This renders the regenerate part useless and poses a threat for session fixation exploit.

Steps To Reproduce:

  1. Using default Laravel Authentication, create a new user

  2. Once user is logged in, copy the session cookie value

  3. Log out

  4. Replace the session value with the one copied in step 2 (using Chrome Dev Tools or something similar)

  5. You are logged in again

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions