Home > database >  New potential vulnerability in Laravel logout
New potential vulnerability in Laravel logout

Time:05-10

there is a strange problem which might be a not discovered issue in Laravel security, it goes like this: while I submit an ajax form to update or insert to the database (a lot of data that takes too much time) and I logout from another tab in the middle of it, the request will still succeed without an issue! and more importantly after that my browser acts as if I did not logout at all ! am I going crazy or do we have a problem ?

        Auth::guard('web')->logout();

        $request->session()->invalidate();

        $request->session()->regenerateToken();

        return redirect('/');

CodePudding user response:

For most people this is not a security vulnerability.

This happens because Laravel checks authentication at middlewares, that runs BEFORE calling the controller method. So at the time your request starts, you're still authenticated.

  • Related