Reputation: 49
Logout does not expire session tokens
We recently got our Laravel 5.6 application penetration tested and one of the issues which were flagged was the expiration not being set correctly on Logout. The AuthenticatesUsers trait calls the invalidate method on the session which basically flushes the session data and regenerates the ID but doesn't set expiration to it.
According to the report, if an attacker can obtain a valid session token, they will be able to hijack the affected user’s account. The user logging off will not invalidate the attacker’s session.
Any pointers here would be of great help.
Thanks
/**
* Log the user out of the application.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\Response
*/
public function logout(Request $request)
{
$this->guard()->logout();
$request->session()->invalidate();
return redirect('/');
}
Upvotes: 0
Views: 1372
Answers (1)
Reputation: 5552
Laravel 5.6 added an Auth::logoutOtherDevices() method for this purpose:
https://laravel.com/docs/5.7/authentication#invalidating-sessions-on-other-devices https://laracasts.com/series/whats-new-in-laravel-5-6/episodes/7 https://github.com/laravel/framework/issues/16311
Upvotes: 1
Related Questions
- Laravel session timeout, extra logout code
- Laravel Auth::logout not removing remember me cookie
- Laravel logout remember token error
- Laravel 5 Auth Logout not destroying session
- Logout on automatic expiration of session in Laravel
- All session expire after logout in multi Auth in Laravel 5.3
- Laravel logout not working
- Laravel 5 logout is not working
- Laravel Auth Logout() + Session Flush() not logging out user
- Laravel - Auth Session not expiring after browser close