[5.5] Illuminate/Session/Middleware/AuthenticateSession.php breaks actingAs

[ulc-brian]

Laravel: 5.5.40 PHP: 7.1.9 MySQL: 5.7.19

If using the Laravel Middleware "AuthenticateSession", this will cause problems with phpunit tests where using actingAs more than once. For example:

$this->actingAs($adminUser);
$this->visit('adminPage');
$this->actingAs($regularUser);
$this->visit('regularPage');

The problem is that in the session AuthenticateSession Middleware will store a session variable called "password_hash". The first actingAs statement works perfectly, and when visiting any pages the session adds a password_hash field. Once you switch users by using the actingAs statement again, the session maintains all of the same data. Then when you visit the regular page, the AuthenticateSession Middleware notices that the 'password_hash' value actually does not match the hashed password for the regular user, and forces the user to logout at that point. This is not desired behavior because you are no longer acting as that user anymore.

One possible solution would be to update actingAs method to forget the password_hash so that when the AuthenticateSession middleware kicks in later when visiting a page, it won't force a logout and instead will simply add the password_hash field to the session like normal. Something like:

session()->forget('password_hash');

It might make more sense to actually flush the session, since its a completely different user.

[driesvints]

The best thing is to separate these into two different tests tbh.