Auth: user take an other user session

Hi every one

I found a problem in my laravel 6 app, a user can get a session from an other connected user.

Its can be done when the user send an AJAX GET query with axios without sending TOKEN.

is it normal?

jlrdw

6 years ago

Level 75

In the laravel 6 from scratch video series, there are 2 free authorization videos.

It's not enough to just authenticate, you need to set policies of who can do what.

You have to let authentication work with authorization.

You need something like this spatie example:

spatie example:
public function update(Request $request, Post $post) {
    if ($post->author !== auth()->user()->id || auth()->user()->cannot('edit posts'))
        abort(404);// or some other 
    }
}

Just example there, study authorization in the docs, and view some videos.

m4riachi

6 years ago

Level 1

thank you for your message,

but the problem is the session change user information, like if the user 1 session take the user 2 information and you will find your self connected with an other user than you

jlrdw

6 years ago

Level 75

Have you checked the axios issues. But I still think authorization is not set up.

Even right on this forum, without authorization in place, I could edit your post.

RBAC is what controls what a logged in user can and cannot do. If using nodes see.

https://stackoverflow.com/questions/49482429/axios-on-nodejs-wont-retain-session-on-requested-server-while-postman-does

gazzoy

2 years ago

Level 1

@m4riachi I have the same situation. Did you find any solutions for this?

Please or to participate in this conversation.