Regenerate session during Auth::login()

[valorin]

Use Session::regenerate() instead of Session::migrate() during the login flow.

[taylorotwell]

@valorin does this have any risk of breaking changes with the other changes we've made in terms of regenerating and migrating twice, etc.

[valorin]

@taylorotwell Nope, there should be no negative effects or breaking changes associated with this and the other changes we made. 👍

The login flow already called migrate() and regenerate() together, with the only difference between migrate() and regenerate() being generating a random string and storing it in the session:

framework/src/Illuminate/Session/Store.php

Lines 740 to 743 in ec54077

	public function regenerateToken()
	{
	$this->put('_token', Str::random(40));
	}

[AhmedAlaa4611]

Should we also invalidate() and regenerateToken() in logout()?

[ConorEdwardsCP]

This broke our workflow. Regenerating this token causes Livewire to blow up because it doesn't get the updated token. It keeps trying to use the existing session token, and gives a 419 error every time it tries to update anything.

We're currently using laravel/framework 12.33.0, and bumping to 12.34.0 causes our sign up flow to blow up.

Is there a way to work around this?

[valorin]

This feels like an issue that should be fixed in Livewire, as rotating the CSRF token is critical for security across authentication boundaries.