1

My app is built on Laravel 8.x and deployed via Vapor and uses Redis as session driver.

I noticed this odd behaviour, where if you login and copy the cookie and then logout and import the cookie and refresh the page, you are logged back in.

Here are the steps to re-produce:

  1. Install the Cookie-Editor plugin in chrome
  2. Login to the app
  3. Use the cookie-editor plugin and export the cookie
  4. Logout of the app
  5. Use cookie-editor plugin to import the exported cookie and refresh the page, you are now logged in

I followed the instructions on https://laravel.com/docs/8.x/authentication#logging-out to implement the logout functionality, but this doesn't seem to be working?

Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();

I am not able to re-produce this with the app running locally in Apache + PHP, this behaviour is only observed on my vapor deployed instance?

Any idea what the issue might be? How do you properly logout, so that cookie from previous session can't be used again?

Latheesan
  • 23,247
  • 32
  • 107
  • 201
  • You have to find out how the users / session are stored. In ASP for example there is a `SecurityStamp` field in the user table that gets changed on logout. This way you can no longer login with the old cookies. I guess its similar here. – Charles Feb 22 '22 at 20:28
  • The session is stored in redis, I am not using database table. – Latheesan Feb 22 '22 at 20:46
  • fwiw: https://stackoverflow.com/questions/71217277/how-do-i-fix-this-bizarre-login-session-conflict-which-after-login-a-user-gets-r See part about session ID. You might need to narrow it down a bit more otherwise. – ficuscr Feb 22 '22 at 21:02

1 Answers1

0
Auth::logout();

Session::flush();
Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
Erame
  • 1
  • 1