Merge pull request #91 from Lakshan-Madushanka/Fix-login-vulnerabilities

Fix login vulnerabilities

resources/views/pages/auth/login.blade.php

@@ -108,8 +108,10 @@ public function authenticate()
             event(new Login(auth()->guard('web'), $this->userModel->where('email', $this->email)->first(), true));
 
             if(session()->get('url.intended') != route('logout.get')){
+                session()->regenerate();
                 redirect()->intended(config('devdojo.auth.settings.redirect_after_auth'));
             } else {
+                session()->regenerate();
                 return redirect(config('devdojo.auth.settings.redirect_after_auth'));
             }
         }

resources/views/pages/auth/register.blade.php

@@ -108,8 +108,10 @@ public function register()
         }
 
         if (session()->get('url.intended') != route('logout.get')) {
+            session()->regenerate();
             redirect()->intended(config('devdojo.auth.settings.redirect_after_auth'));
         } else {
+            session()->regenerate();
             return redirect(config('devdojo.auth.settings.redirect_after_auth'));
         }
     }

src/Http/Controllers/LogoutController.php

@@ -3,22 +3,32 @@
 namespace Devdojo\Auth\Http\Controllers;
 
 use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 
 class LogoutController
 {
-    public function __invoke(): RedirectResponse
+    public function __invoke(Request $request): RedirectResponse
     {
         Auth::logout();
 
+        $this->clearTraces($request);
+
         return redirect()->route('home');
     }
 
-    public function getLogout()
+    public function getLogout(Request $request)
     {
         Auth::logout();
-        Session()->flush();
+
+        $this->clearTraces($request);
 
         return redirect('/');
     }
+
+    private function clearTraces(Request $request): void
+    {
+        $request->session()->invalidate();
+        $request->session()->regenerateToken();
+    }
 }