Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
So I'm having a few issues with allowing the user to change their own password.
Now, I've gotten it to work so that it does actually change the current user's password since I see it change within the Database. However! What it's not doing is allowing the user to login through this new password. Nor does it allow them to use this new password to change because it's not recognising the new passoword. It's as if Laravel does not recognise this new password..
View:
<?php
<div class="panel panel-default">
<div class="panel-heading">Change Your Password</div>
{{ Form::open(array('url' => 'security/change_password')) }}
<div class="form-group">
{!! Form::label('current_password', 'Enter Current Password:') !!}
{!! Form::text('current_password', null, ['class'=>'form-control']) !!}
</div>
<div class="form-group">
{!! Form::label('password', 'Enter New Password:') !!}
{!! Form::text('password', null, ['class'=>'form-control']) !!}
</div>
<div class="form-group">
{!! Form::label('password_confirmation', 'Confirm New Password:') !!}
{!! Form::text('password_confirmation', null, ['class'=>'form-control']) !!}
</div>
<div class="form-group">
{!! Form::submit('Change Password', ['class' => 'btn btn-primary form-control']) !!}
</div>
{!! Form::close() !!}
</div>
?>
Controller:
<?php
public function updatePassword(UserSecurityFormRequest $request)
{
$user = Auth::user();
$current_password = $request->input('current_password');
$new_password = $request->input('password');
if (!Hash::check($current_password, $user->password)) {
return back()->withErrors('Please specify the good current password');
}
else{
$user->password = Hash::make($new_password);
$user->save();
}
}
?>
I have also tried this: Controller V2
public function updatePassword(UserSecurityFormRequest $request)
{
$user = Auth::user();
$current_password = $request->input('current_password');
$new_password = $request->input('password');
if (!Hash::check($current_password, $user->password)) {
return back()->withErrors('Please specify the good current password');
}
else{
$user->password = bcrypt($new_password);
$user->save();
}
}
No such luck :/
Then I tried this in my controller: public function updatePassword(UserSecurityFormRequest $request) {
$user = Auth::user();
$current_password = $request->input('current_password');
$new_password = $request->input('password');
if (!Hash::check($current_password, $user->password)) {
return back()->withErrors('Please specify the good current password');
}
else{
$user->fill([
'password' => Hash::make($request->newPassword)
])->save();
}
}
Again. As before, it changed the password but then when I went to change it again through the form; it did not recognise the changed password.
Request:
<php
<?php
namespace App\Http\Requests;
use App\Http\Requests\Request;
class UserSecurityFormRequest extends Request
{
/**
* Determine if the user is authorized to make this request.
*
* @return bool
*/
public function authorize()
{
return true;
}
/**
* Get the validation rules that apply to the request.
*
* @return array
*/
public function rules()
{
return [
'current_password' => 'required|min:6',
'password' => 'required|min:6|confirmed',
];
}
}
?>
Now, a few places suggested setting an attribute for password like so:
<?php
public function setPasswordAttribute($password)
{
return $this->attributes['password'] = bcrypt($password);
}
?>
^I didn't have much luck with that. If any :/
I know the code (esp in the controller) is rather messy but I'll sort that out once I've fixed the functionality.
Any help would be highly appreciated
Best regards
Friaku
So I guess the problem is that you encrypt the password too many times. If you create a setter like setPasswordAttribute you don't have to encrypt the password in your controller.
Now I recommend you to clear out your development database and try it with a fresh user, should work fine ;)
I tried that with a new user. Didn't work at all. See, I can register the user all fine and it logs me in automatically after a successful registration.
However if I was to go to change my password through that form I made, it wouldn't accept the password I registred with. This is with the following in the User:
public function setPasswordAttribute($password)
{
return $this->attributes['password'] = bcrypt($password);
}
I'd also like to point out that I can no longer login that newly created user with that password.. so I guess Laravel can't recognise it for some reason?
are your $current_password and $new_password filled correctly from the request?
can you dump a list of attributes posted from the form to the controller?
They are indeed correct. I know this because when I go to change a password of an account where the password works (as in password has not been altered since registration); it allows me to change the password. However when I go to change the password using the password that I only just changed it to, it simply stops working. When I log out and attempt to log into the same account with the new password, it doesn't allow me access.
So yup, the $current_password and $new_password are filled in accordance to the rules I've set in the Request. :(
I asked it because it's probably hashing something other than what was submitted from the form. If this is the case, if you update the user's password manually in tinker for example or manually updating the database
$user->update(['password' => bcrypt('test')])
you should be able to login again using test but if you change the password using current test password in the form it fails again. have you tried this?
Ooh! Ok, so it does indeed work. Updating the user manually within tinker actually updates it and also allows me to login.
So there's something wrong with my form? Because manually changing it within tinker allows me to login. But once i go to change my password through the form; it no longer works :/
I've dd($current_password) and dd($new_password) and they both come up as they should when the form is submitted successfully (using the manually set password).
Just to clarify; I can login with "test" and change the password using "test" but after that; I can no longer use the new password to change anything (or even login) because Laravel is not recognising it..
This is what happens when I dump the form submission when I am able to successfully :
POST /security/change_password HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.8
Cache-Control: max-age=0 Connection: keep-alive
Content-Length: 117
Content-Type: application/x-www-form-urlencoded Cookie: XSRF-TOKEN=eyJpdiI6IjY4SFMrSThhWG5JcU0yMXQ2NTNmZEE9PSIsInZhbHVlIjoiQVBTR0pnMngwd3M0NTREcG1MK1J2c2xoeDVFOG1MMUM2ZEFlQ1VRbnpIdzl5QkZtRDRoamZpamJwcjVnVUh4a3lMa2hqRWs0dVRHdzlMalJaQjYrbkE9PSIsIm1hYyI6ImUyZDM5YzQzMjBhYjMwYzdjODk5MmQyNTZiOTY4ZjhlYWY1MDdkYTk5MzA1ZjVlYmMzYzY0ODFhZjJkNmIwNzEifQ%3D%3D;
laravel_session=eyJpdiI6Ik9lUFFTU3c3RUQ4TTJvUkRacEJVV3c9PSIsInZhbHVlIjoiejZQTUREMitmdWM0VDlFWTdCMG5Ja0RGQ1laWEwwNnBLMHFOMkdUaTBualJ2UFpUMzBmbUtZaGgrT0l1cFdnK1wvd0N5RGNxMlpcL1wvdHFDbDVzS0JxeVE9PSIsIm1hYyI6IjVkNTZkMjZhNDEwNDc3NmUxZjI2OTJhMjkwY2ZmMjkwZTA5YWUzZDU3OTBhY2Y3OWU5MmEwMDZhNjA4M2E5MTYifQ%3D%3D
Dnt: 1
Host: localhost:8000
Origin: http://localhost:8000
Referer: http://localhost:8000/security Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
_token=MxPIdCMhFEPy7h13p2ybJrmz8KzJKpDtfuhX8V15¤t_password=testing&password=123456&password_confirmation=123456
If you look towards the end you'll see:
"password=testing&password=123456&password_confirmation=123456"
That's the data that is being submitted successfully..
However! A failed password change (when I've entered the correct password of "123456") gives me the error message that I've set in the "else" of my Controller function :/
Issue is now resolved. I made a mistake in reading the documentations.
Controller before:
$user = Auth::user();
$current_password = $request->input('current_password');
$new_password = $request->input('password');
if (!Hash::check($current_password, $user->password)) {
return back()->withErrors('Please specify the good current password');
}
else{
$user->fill([
'password' => Hash::make($request->newPassword)
])->save();
}
}
'password' => Hash::make($request->newPassword)
^That should have been:
'password' => Hash::make($request->password)
as it is the password field in the database rather than the "newPassword" field.
All credit to Steve Bauman at StackOverflow.
Thank you everyone who took the time to respond to me in this thread.
Thank you.
Please or to participate in this conversation.