Reputation: 165
Prevent logout after updating user password in Laravel 5.5
Beginning with Laravel 5.3, this middleware was added...
\Illuminate\Session\Middleware\AuthenticateSession
While it's definitely a benefit for security purposes, it's also responsible for logging the user out (presenting the user with the login page) if they change their password.
How do we prevent a user from being logged out (being forced to log back in) when they change their password, in Laravel 5.5?
Upvotes: 7
Views: 6658
Answers (7)
Reputation: 138
You can solve it by using update method instead of save:
$user = auth()->user();
$user->update([
'password' => Hash::make($data['new_password']),
]);
Upvotes: 0
Reputation: 3549
What worked for me in a Laravel 8 project, as derived from the answers of manniL (use of Auth::login) and Lukmon Awoyemi (use the remember me functionality):
public function updatePassword(UpdatePasswordRequest $request) {
$user = $request->user();
$user->fill([
'password' => Hash::make($request->password),
])->save();
// make sure to re-login the user
Auth::login($user, !!$user->getRememberToken());
$request->session()->flash('status', 'Password updated!');
return redirect()->route('some.route');
}
The UpdatePasswordRequest is just a form request which validates the given original and new passwords, checking that the original password provided is valid and the new password is confirmed.
The addition here is to first check for a remember token. This check will return a token or null if no remember token was set. This information will be converted to boolean and provided to the login function.
Logging in the user like this will make sure that all necessary password and login hashes are updated in the session to match the new password hash. Therefore, the AuthenticateSession middleware will still recognize the user as being logged in. Also, the user is remembered if and only if s/he was remembered before the password change.
Upvotes: 0
Reputation: 9
For the Laravel > 8.x
Better way:
// $user - user model after password change
auth()->setUser($user);
Upvotes: 0
Reputation: 534
For the Laravel > 8.x
When the password_hash of the session is different from the current auth()->user() the laravel will automatically logout the user. This is done on this middleware:
vendor/laravel/framework/src/Illuminate/Session/Middleware/AuthenticateSession.php
If you update the password_hash on the session with the new hash password the user will be not logout.
session()->put([
'password_hash_' . auth()->getDefaultDriver() => $user->getAuthPassword()
]);
Example:
session()->put([
'password_hash_web' => "$2y$10$...hashpasswordstoredondatabase"
]);
Upvotes: 1
Reputation:
What worked for me was, to logout, clear session, then login again
Auth::guard('web')->logout();
Session::flush();
Auth::guard('web')->login($this);
Upvotes: 8
Reputation: 11
just a side note, sometimes you might have to update the password_hash of your session. best way inorder to complete the update password process.
auth()->login($user, true);
$request->session()->put([
'password_hash' => $newUser->getAuthPassword(),
]);
it's important you do this after logging in the user again or else, further calls to
auth()->user();
would return null.
Upvotes: 1
Reputation: 7289
Instead of changing the middleware, just "re-login" the user after changing the password:
<?php
//$user->passwordChangeMagicHere()
Auth::login($user);
//And the user is logged in again!
Upvotes: 9
Related Questions
- Laravel 8 prevent logout after user password change?
- how to completely logout in laravel 5.5 controller?
- Logout and redirect user back to login blade with a message on change password in laravel
- Logout user automatically
- Logout user from all browser when password is reset in laravel 5.6
- How to manage Login/Logout in laravel using Auth
- How to force logout when following reset password path
- Prevent logout auth laravel
- Invalidate login in Laravel when user leaves the page
- Laravel 5 logout is not working