Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

vincej's avatar
vincej
OP
9 years ago
Level 15

How to Change CSRF token and /or Session Data After Password Change ?

I have built a feature where a user can change their password after having logged in. (I am aware of reset pw feature, however that assumes you are not yet logged in yet.)

Ok - so I have my change password view working great. Also my change pw controller is working great. My controller checks the old password from the DB against the submitted pw in the form and then proceeds to hash and save a new pw. All Good !

Problem: Once the password has been changed, if I now go to another page on the site, Laravel kicks me out to the login page. I am guessing that this is because there is a now mismatch either with the CSRF token or perhaps more likely, the default web guard session data as created within the config/Auth. I don't know either way.

Any ideas nad help as to what I need to do to ensure that once a pw change has occured that the user will not get kicked out ?

Many thanks !

0 likes
7 replies
Snapey's avatar

how do you reset the password? it should not interfere with guard or csrf

vincej's avatar
vincej
OP
9 years ago
Level 15

@snapey Thanks for your rapid reply !

This is how my controller works so far. I am not doing anything with the guard or csrf:


    public function password_update(Request $request){

        $this->validate($request,
            [
                'old_password'  => 'required',
                'new_password'  => 'required',
                'new_password2' => 'required|same:new_password',
            ]);

        $user = User::find(Auth::id());

        $old_password1 = $user->password; // From DB

        if(password_verify($request->old_password,$old_password1)) {
            $new_password = hash::make($request->new_password);
            $user->password = $new_password;
            $user->save();
            flash::success('Password has been updated');
            return view('contractor_portal/change_password');
        }
        else {flash::error('The Old Password is Not Valid');}


    }
Snapey's avatar
Snapey
9 years ago
Best Answer
Level 122

I can't see anything in your code that might affect the session, therefore you should not be logged out.

You get the user (a long-winded, redundant way since Auth already has the user) - but that should not cause an issue

You use the php password_verify function which knows nothing about your sessions

You replace the password, save the user and return a view. Here I would redirect instead, but that should not be the issue.

???

refactored to simplify the problem a little

    public function password_update(Request $request)
    {

        $this->validate($request,
            [
                'old_password'  => 'required',
                'new_password'  => 'required',
                'new_password2' => 'required|same:new_password',
            ]);

        if (!password_verify($request->old_password,$request->user->password)) {
            flash::error('The Old Password is Not Valid');
            return back();
        }
        
        $request->user()->fill([
            'password' => Hash::make($request->new_password)
        ])->save();

        flash::success('Password has been updated');
        return redirect('/contractor_portal');   //or wherever
    }
vincej's avatar
vincej
OP
9 years ago
Level 15

@snapey

Success ! Many Many Thanks !!

I had to make a couple of mods to your code:

$request->user->password came back with:

Trying to get property of non-object

I checked with Storm debugger and found nothing, So I changed that bit back.

Then on the very last statement, it was puking with a redirect, so I changed that to a return and it worked: return view('contractor_portal/change_password',compact('name'));

Changing Subjects I notice that good developers like you write much more abbreviated code. I really want to be able to do the same, but I am having a real problem finding all these little cool functions like back() or fill() or what ever. I am reading the source code more and more, and I see these little funky functions all over the place. But I find looking them up in the API is major pain. I can spend 10 mins before I find it. The search function in the API is not the easiest. And then it is still not clear what they do. Perhaps I was spoilt during my CodeIgniter years when everything was searchable in seconds. I bought Matt Stauffers book who also admits that he learned loads of new things about Laravel during it's writing. If Matt learns new stuff, people like me are really going to have to work hard.

Question How did you find out about all this stuff ?? Does a person really have to digest the source code? I don't know if I have the stomach for that. Any tips / advice ? How did you do it ?

Thanks !

Snapey's avatar

To be honest, looking at the forum and seeing others code is the best way for me. I learn a lot by thinking about other people's problems.

There are always multiple ways to do things, but in this case, I just lifted the password reset direct from the docs ;-)

https://laravel.com/docs/5.4/hashing#basic-usage (last example)

Snapey's avatar

$request->user->password. i think should have been

$request->user()->password as user is a method on the request object not an attribute.

I wonder what it was that fixed it?

1 like
vincej's avatar
vincej
OP
9 years ago
Level 15

@snapey Yes ! That worked. thanks !

btw - did you know I am a dual national? Lived in Herts for 26 years. British wife, kids and British Education.

1 like

Please or to participate in this conversation.