From a7c1ebcc9f9cf678f07cdff48a8266f2e3dded5d Mon Sep 17 00:00:00 2001 From: Marco Date: Sun, 25 Mar 2018 03:40:57 +0200 Subject: [PATCH] Force logout in any other sessions when a user changes their password --- src/Auth.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/Auth.php b/src/Auth.php index 5c8ba2f..0720eba 100644 --- a/src/Auth.php +++ b/src/Auth.php @@ -765,9 +765,12 @@ final class Auth extends UserManager { public function changePasswordWithoutOldPassword($newPassword) { if ($this->isLoggedIn()) { $newPassword = self::validatePassword($newPassword); - $userId = $this->getUserId(); - $this->updatePasswordInternal($userId, $newPassword); - $this->deleteRememberDirectiveForUserById($userId); + $this->updatePasswordInternal($this->getUserId(), $newPassword); + + try { + $this->logOutEverywhereElse(); + } + catch (NotLoggedInException $ignored) {} } else { throw new NotLoggedInException();