Skip to content
Permalink
Browse files Browse the repository at this point in the history
Invalidate the session ID to prevent reuse
1. Good logs in
2. Bad captures Good's session cookie
3. Good logs out
4. Session cookie no longer works
5. Good logs in a second time
6. ORIGINAL session cookie works (Bad is also signed in)
  • Loading branch information
daftspunk committed Jan 30, 2021
1 parent e292d79 commit 642f597
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Auth/Manager.php
Expand Up @@ -686,7 +686,7 @@ public function logout()

$this->user = null;

Session::flush();
Session::invalidate();
Cookie::queue(Cookie::forget($this->sessionKey));
}

Expand Down

0 comments on commit 642f597

Please sign in to comment.