Skip to content

Regenerate session during Auth::login() #57204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 8, 2025
Merged

Regenerate session during Auth::login() #57204

merged 4 commits into from
Oct 8, 2025

Conversation

@valorin
Copy link
Contributor

@valorin valorin commented Sep 29, 2025

Use Session::regenerate() instead of Session::migrate() during the login flow.
@taylorotwell
Copy link
Member

taylorotwell commented Sep 30, 2025

@valorin does this have any risk of breaking changes with the other changes we've made in terms of regenerating and migrating twice, etc.
@valorin
Copy link
Contributor Author

valorin commented Sep 30, 2025

@taylorotwell Nope, there should be no negative effects or breaking changes associated with this and the other changes we made. 👍

The login flow already called migrate() and regenerate() together, with the only difference between migrate() and regenerate() being generating a random string and storing it in the session:

framework/src/Illuminate/Session/Store.php

Lines 740 to 743 in ec54077

public function regenerateToken()
{
$this->put('_token', Str::random(40));
}

@taylorotwell taylorotwell merged commit 975d60a into laravel:12.x Oct 8, 2025
63 checks passed
@ghbob ghbob mentioned this pull request Oct 16, 2025
Closed
@AhmedAlaa4611
Copy link
Contributor

AhmedAlaa4611 commented Oct 18, 2025

Should we also invalidate() and regenerateToken() in logout()?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@valorin @taylorotwell @AhmedAlaa4611