Invalidate the session ID to prevent reuse

1. Good logs in 2. Bad captures Good's session cookie 3. Good logs out 4. Session cookie no longer works 5. Good logs in a second time 6. ORIGINAL session cookie works (Bad is also signed in)
octobercms · Jan 30, 2021 · 642f597 · 642f597
1 parent e292d79
commit 642f597
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Auth/Manager.php b/src/Auth/Manager.php
@@ -686,7 +686,7 @@ public function logout()
 
         $this->user = null;
 
-        Session::flush();
+        Session::invalidate();
         Cookie::queue(Cookie::forget($this->sessionKey));
     }