fix: destory old session

kenjis · kenjis · commit 47e08d29e090 · 2022-08-02T08:14:51.000+09:00
CSRF token is updated before session regeneration, so same-site attakcers
may get the new CSRF token. To prevent it, delete the old session.
diff --git a/src/Authentication/Authenticators/Session.php b/src/Authentication/Authenticators/Session.php
@@ -567,7 +567,7 @@ public function startLogin(User $user): void
 
         // Regenerate the session ID to help protect against session fixation
         if (ENVIRONMENT !== 'testing') {
-            session()->regenerate();
+            session()->regenerate(true);
         }
 
         // Let the session know we're logged in

Original file line number	Diff line number	Diff line change
`@@ -567,7 +567,7 @@ public function startLogin(User $user): void`
`567`	`567`
`568`	`568`	`// Regenerate the session ID to help protect against session fixation`
`569`	`569`	`if (ENVIRONMENT !== 'testing') {`
`570`		`- session()->regenerate();`
	`570`	`+ session()->regenerate(true);`
`571`	`571`	`}`
`572`	`572`
`573`	`573`	`// Let the session know we're logged in`