Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

TrevorTse's avatar

Is it really necessary to call session()->regenerate() after login?

The document and course told us to regenerate session id after login.

 if (Auth::attempt($credentials)) {
  $request->session()->regenerate();    
}

But I discover that even without session()->regenerate(), the session id session()->getId() will still be changed after login.

Actually, both Auth::attempt() and session()->regenerate() method call Session::migrate(). https://github.com/laravel/framework/blob/9.x/src/Illuminate/Session/Store.php https://github.com/laravel/framework/blob/9.x/src/Illuminate/Auth/SessionGuard.php

Is it really necessary to call session()->regenerate() after login?

0 likes
2 replies
Niush's avatar

Auth::attempt() never calls the $this->regenerateToken(); function. Looking at the code, the migrate function only destroys the session and update the session id variable. But, the regenerate is the one needed to actually generate a new token. Probably a small issue is, likely the setId is called twice from both Auth::attempt() and regenerate().

TrevorTse's avatar

@Niush I get it. The CSRF token stored in server-side will not be changed without session()->regenerate(). But is the session fixation attack still valid if the session id is changed?

Please or to participate in this conversation.