-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth::login and Auth::loginUsingId causes log out #997
Comments
Heya, thanks for reporting. We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as separate commits on the main/master branch and share the repository here? Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up. laravel new bug-report --github="--public" Please do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue. Thanks! |
@fylzero is this one resolved as well now? |
@driesvints |
@driesvints
|
@driesvints I was mistaken. This issue still exists when creating a new project. I'll put together a bug-report repo. |
@driesvints Here is the repo, I've linked in the OP as well. https://github.com/fylzero/bug-report Instructions:
|
@fylzero Can you try reverting those changes made in 9.4.1 and see if it resolves the issue? Line to comment out: |
My |
@driesvints I have verified that when trying to use this functionality the evaluations for See: |
@fylzero those changes are in the foundation kernel, not the app one. Have a closer look. |
@driesvints You are correct. Yes, commenting this out in the Foundation Kernel also resolves the logout issue. I don't understand why but the evaluation on line 55 of |
@driesvints It appears in Jetstream/Sanctum this is causing this to compare the password_hash_sanctum to the password_hash_web tokens. |
@driesvints I read the changelog in Laravel and yes reverting the change here: laravel/framework@50b46db ...also resolved the issue. I believe that is the problem. |
I can't recreate this. |
@fylzero what you are reporting in your example repo is NOT a bug. That is in fact PROVING that session authentication is working correctly. You used I can't recreate it when using the impersonation package in question because they fully flush the session by logging out and then logging in again. This works on Jetstream using the lab404/laravel-impersonate package. When using authenticated sessions, a naive |
@taylorotwell Fair enough. This was working before that update so, wasn't sure. I'll look at what the package is doing and make the necessary changes. Obviously this only "broke" user impersonation so, not super mission-critical. Thanks for providing this info! |
Yeah - it's a bit complicated. It helps if you have a good grasp of how authenticated sessions work. I'll try to summarize: When using authenticated sessions...
So, with this in place, when a user updates their password in a user profile section of an application, all other sessions for that user will automatically be logged out because their copy of the password in their sessions no longer matches the database. Pretty slick actually! So, back to your example, you log a new user into the application, but you never update the session password hash accordingly. Therefore, they no longer match and you are logged out. |
For anyone else running into what I did, this seems to work for me but definitely feels backwards / like I'm cheating. getAuthPassword() seems to be grabbing the
|
The simplest solution is to put I don't know if this brings any security risks though. |
Description:
Auth::login and Auth::loginUsingId causes user to be logged out
Steps To Reproduce:
https://github.com/fylzero/bug-report
The text was updated successfully, but these errors were encountered: