Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi there !
in my single page application, after updating user password with fortify route PUT /user/password user appears to be logged out when requesting server again (Laravel 11).
My investigation :
In my App\Actions\Fortify\UpdateUserPassword, if I remove the line 'password' => Hash::make($input['password']), the user still logged in and he can request server again as a logged user (but of course password is not updated).
So I assume the password is "linked" to the user session and when we update it, the session is not valid anymore ?
(I tried to update config file hashing.php with 'rehash_on_login' => false, but this does not solve the problem)
Steps To Reproduce (using laravel fortify) :
thank you for your help :)
@jpp_laravel Yes, sessions will be invalidated if the password is changed.
Imagine someone has discovered your password and logged in on another device. It would be a bit rubbish if you changed your password from your device but it didn’t log the bad actor out of your account on their device.
@martinbean thanks for your response!
That make sense, but I had the same mechanism in another project with laravel 10, and it didn't have this behaviour, the user remained logged in.
is it a security improvement in laravel 11 ?
@jpp_laravel Yes, it will be for security. For the very scenario I outlined in my previous reply.
Please or to participate in this conversation.