Add AuthenticateSession middleware.

src/Illuminate/Foundation/Http/Kernel.php

@@ -75,6 +75,7 @@ class Kernel implements KernelContract
         \Illuminate\Session\Middleware\StartSession::class,
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
         \Illuminate\Auth\Middleware\Authenticate::class,
+        \Illuminate\Session\Middleware\AuthenticateSession::class,
         \Illuminate\Routing\Middleware\SubstituteBindings::class,
         \Illuminate\Auth\Middleware\Authorize::class,
     ];

src/Illuminate/Session/Middleware/AuthenticateSession.php

@@ -0,0 +1,88 @@
+<?php
+
+namespace Illuminate\Session\Middleware;
+
+use Closure;
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Contracts\Auth\Factory as AuthFactory;
+
+class AuthenticateSession
+{
+    /**
+     * The authentication factory implementation.
+     *
+     * @var \Illuminate\Contracts\Auth\Factory
+     */
+    protected $auth;
+
+    /**
+     * Create a new middleware instance.
+     *
+     * @param  \Illuminate\Contracts\Auth\Factory  $auth
+     * @return void
+     */
+    public function __construct(AuthFactory $auth)
+    {
+        $this->auth = $auth;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (! $request->user() || ! $request->session()) {
+            return $next($request);
+        }
+
+        if (! $request->session()->has('password_hash') && $this->auth->viaRemember()) {
+            $this->logout($request);
+        }
+
+        if (! $request->session()->has('password_hash')) {
+            $this->storePasswordHashInSession($request);
+        }
+
+        if ($request->session()->get('password_hash') !== $request->user()->password) {
+            $this->logout($request);
+        }
+
+        return tap($next($request), function () use ($request) {
+            $this->storePasswordHashInSession($request);
+        });
+    }
+
+    /**
+     * Store the user's current password hash in the session.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return void
+     */
+    protected function storePasswordHashInSession($request)
+    {
+        $request->session()->put([
+            'password_hash' => $request->user()->password,
+        ]);
+    }
+
+    /**
+     * Log the user out of the application.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return void
+     *
+     * @throws \Illuminate\Auth\AuthenticationException
+     */
+    protected function logout($request)
+    {
+        $this->auth->logout();
+
+        $request->session()->flush();
+
+        throw new AuthenticationException;
+    }
+}