London Scottish Broking Limited, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 230110 England.
Robinson Way & Company Limited, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 885896 England. Just wondering if a) this is still the recommended way of doing things (I have no reason to think it's not btw) b) I'm writing a public facing site that needs to be secure, so just wondering if there would ever be a possibility that the session object might not be an instance of org.apache.struts2.dispatcher.
In order to implement this we need to backtrack to where Laravel actually loads session classes.
This is defined in your providers array as ‘Illuminate\Session\Session Service Provider’.
This method does not take a session ID, but instead offers to destroy the current session.
Invalidating the session of the user changing the password is all perfectly fine, but that still leaves our attacker logged in.
My jsp page gets called on click of a link in my application.
In order to fix this we need to implement a custom session store that properly exposes the destroy() method of the individual session providers. Version 5 has quite a few changes so this might be significantly different.
If anyone uses Laravel 5 please let me know if this applies there as well.
I will leave this part as an exercise to the reader. The Laravel session providers themselves implement a very suitable destroy method that takes a session ID.
However, unfortunately the Laravel session store does not expose this method but instead implements a migrate() method.