Upgrading to Laravel 5.2 invalidates all sessions

Question

Upgrading from Laravel 5.1.17 to 5.2. My config/auth.php originally contained:

'driver' => 'eloquent',
'model'  => 'Project\User',
'table'  => 'users',

New file is the same as the default, except with the updated namespace.

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'token',
        'provider' => 'users',
    ],
],
'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => Project\User::class,
    ],
],

My env SESSION_DRIVER is redis. I did not clear anything from Redis. (Note, this also happened in my other projects where driver was file, but I didn't care about it as much for them.)

I have two branches, L5.2 and master (which is on 5.1.17). After switching branches, I simply run composer install

If I login on master, then switch to L5.2, I am logged out
If I switch back to master, I am logged back in
If I login on L5.2, then switch to master, I stay logged in
If I switch back to L5.2, I stay logged in

I'm hesitant to upgrade if it's going to invalidate all of my users' sessions and force them to login again. Is there a way to avoid this?

The only other files that were modified were composer.json, composer.lock, app/Exceptions/Handler.php, and config/app.php; nothing that touched Auth.

Has nobody else experienced this? This has happened to me on 6 different projects on 2 different servers. I can't be the only one — andrewtweber, Dec 28 '15 at 15:55
I don't understand one thing - you tell that only the only changed files are `composer.json`, `composer.lock` etc (total 4 files) between 5.1.17 and 5.2 but in fact you also changed other files (for example `app/Http/routes.php` to include `web` middleware. Have you changed other files when switching between branches? I mean `Kernel.php` etc? — Marcin Nabiałek, Dec 29 '15 at 18:31
@MarcinNabiałek I only changed routes to test your answer. I reverted it back afterwards. It is just those 4 files — andrewtweber, Dec 29 '15 at 18:35
If you look at https://laravel.com/docs/5.2/upgrade#upgrade-5.2.0 you will see that you should make much more changes to upgrade to version 5.2 (one of first mentioned is `config/auth.php` so If I were you I would first make sure I have valid `app` structure - the best way would be probably cloning `https://github.com/laravel/laravel` and comparing this with your `app` folder to see all differences and then merge all necessary changes with your code. — Marcin Nabiałek, Dec 29 '15 at 18:39
@MarcinNabiałek I did update `config/auth.php`, that's the main part of the question. Good idea to compare though, I'll try it — andrewtweber, Dec 29 '15 at 19:22
@MarcinNabiałek I guess I meant just those **5** files not 4. config/auth.php is part of the question + the 4 mentioned at the end. Everything else in the upgrade guide doesn't apply to me — andrewtweber, Dec 29 '15 at 19:22

andrewtweber · Accepted Answer · 2016-01-04T19:18:10.773

2

I figured out what is causing the session to be invalidated. The problem is the session guard's getName() method.

In 5.1.17:

return 'login_'.md5(get_class($this));

In 5.2 ($this->name would be web by default):

return 'login_'.$this->name.'_'.sha1(get_class($this));

Also, the class name itself changes from Guard to SessionGuard

If I replace this method with:

return 'login_'.md5('Illuminate\Auth\Guard');

That keeps my sessions logged in.

This is progress but not a complete solution yet. The real solution is to update all of your existing sessions with the new name. I'll work on a script to complete this and then update my answer.

edited Jan 04 '16 at 19:18

answered Jan 04 '16 at 00:42

andrewtweber

24,520
22
88
110

1

Good to know. I also thought that something internally could have changed with session names but didn't have time to verify this but this is quite strange so serious change has been made and I haven't seen any info about it in Upgrade guide – Marcin Nabiałek Jan 04 '16 at 19:28
@MarcinNabiałek it would have been hard for you to verify without old session data to compare. That's the only way I figured it out – andrewtweber Jan 04 '16 at 19:33
1

Now in upgrade guide to laravel 5.2 there is: `Because of changes to the authentication system, any existing sessions will be invalidated when you upgrade to Laravel 5.2.` – Marcin Nabiałek Jan 14 '16 at 20:07

Marcin Nabiałek · Answer 2 · 2016-01-14T20:08:25.020

1

That you should do is open app/Http/routes.php

and wrap all your existing routes with:

Route::group(['middleware' => ['web']], function () {
    // here your previous routes
});

EDIT

After testing I can confirm this behaviour.

In those cases:

5.1.17 -> 5.2
5.1.23 -> 5.2
5.1.28 -> 5.2.*

after upgrade to 5.2 User seems not be logged anymore. When going in versions in 5.1 branch user stays logged. When going back from 5.2 to 5.1 user is logged again.

At the moment you should probably create issue here https://github.com/laravel/framework/issues and wait for response

EDIT2

It seems it's official and expected behaviour because to upgrade guide has been added:

Because of changes to the authentication system, any existing sessions will be invalidated when you upgrade to Laravel 5.2.

edited Jan 14 '16 at 20:08

answered Dec 25 '15 at 09:24

Marcin Nabiałek

109,655
42
258
291

Did not work. Reflection exception class "web" does not exist. I also tried `auth:web` which did not throw an exception, but it still logs me out – andrewtweber Dec 25 '15 at 09:37
@andrewtweber Does your Handler look like this: https://github.com/laravel/laravel/blob/master/app/Http/Kernel.php ? Have you removed cached files? – Marcin Nabiałek Dec 25 '15 at 09:42
No, it did not have the `$middlewareGroups`. When I add the groups, I can use `middleware => web` as you said in your answer, but it still logs me out of my account. Clearing cache did nothing – andrewtweber Dec 25 '15 at 10:54
Sorry but I think this is only if you update your `Http/Kernel.php` file with the new middleware groups. If you leave it as is, then all of the old middleware (`EncryptCookies`, `StartSession`, etc.) are inside of the `$middleware` array and are applied to every route by default – andrewtweber Jan 03 '16 at 17:33
So in other words you can either upgrade both Kernel and routes, or neither – andrewtweber Jan 03 '16 at 17:46
And it is working for you then? I've updated both and it seemed not to work – Marcin Nabiałek Jan 03 '16 at 17:52
No, if I leave both files without touching them or update both files, either way it doesn't work – andrewtweber Jan 03 '16 at 17:57
So you should probably put issue on github and wait for answer. At the moment I don't have idea why this happens – Marcin Nabiałek Jan 03 '16 at 18:32

Upgrading to Laravel 5.2 invalidates all sessions

2 Answers2