It is necessary to manually regenerate session on every user login?

I was reading about session stuff in Laravel documentation and it says that if you do authentication manually you need to regenerate the session to avoid session fixation. So it's ok what i'm doing or Auth:attempt already does the session regeneration?

if (Auth::attempt($credentials)) {
    $request->session()->regenerate();
    return ['message' => 'Authenticated!'];
}

Cronix

7 years ago

Best Answer

Level 67

Have you studied the default LoginController (and the trait that it's using where most of the work is being done)?

They do

if ($this->attemptLogin($request)) {
    return $this->sendLoginResponse($request);
}

attemptLogin() is

protected function attemptLogin(Request $request)
    {
        return $this->guard()->attempt(
            $this->credentials($request), $request->filled('remember')
        );
    }

and sendLoginResponse is

protected function sendLoginResponse(Request $request)
    {
        $request->session()->regenerate();

        $this->clearLoginAttempts($request);

        return $this->authenticated($request, $this->guard()->user())
                ?: redirect()->intended($this->redirectPath());
    }

So, no, Auth::attempt() itself doesn't regenerate the session. They do it manually as you can see in the sendLoginResponse() method.

Please or to participate in this conversation.