Upgrading to Laravel 5.2 invalidates all sessions

Question

Upgrading from Laravel 5.1.17 to 5.2. My config/auth.php originally contained:

'driver' => 'eloquent',
'model'  => 'Project\User',
'table'  => 'users',

New file is the same as the default, except with the updated namespace.

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'token',
        'provider' => 'users',
    ],
],
'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => Project\User::class,
    ],
],

My env SESSION_DRIVER is redis. I did not clear anything from Redis. (Note, this also happened in my other projects where driver was file, but I didn't care about it as much for them.)

I have two branches, L5.2 and master (which is on 5.1.17). After switching branches, I simply run composer install

If I login on master, then switch to L5.2, I am logged out
If I switch back to master, I am logged back in
If I login on L5.2, then switch to master, I stay logged in
If I switch back to L5.2, I stay logged in

I'm hesitant to upgrade if it's going to invalidate all of my users' sessions and force them to login again. Is there a way to avoid this?

The only other files that were modified were composer.json, composer.lock, app/Exceptions/Handler.php, and config/app.php; nothing that touched Auth.

Answer 1

I figured out what is causing the session to be invalidated. The problem is the session guard's getName() method.

In 5.1.17:

return 'login_'.md5(get_class($this));

In 5.2 ($this->name would be web by default):

return 'login_'.$this->name.'_'.sha1(get_class($this));

Also, the class name itself changes from Guard to SessionGuard

If I replace this method with:

return 'login_'.md5('Illuminate\Auth\Guard');

That keeps my sessions logged in.

This is progress but not a complete solution yet. The real solution is to update all of your existing sessions with the new name. I'll work on a script to complete this and then update my answer.

Answer 2

That you should do is open app/Http/routes.php

and wrap all your existing routes with:

Route::group(['middleware' => ['web']], function () {
    // here your previous routes
});

EDIT

After testing I can confirm this behaviour.

In those cases:

• 5.1.17 -> 5.2
• 5.1.23 -> 5.2
• 5.1.28 -> 5.2.*

after upgrade to 5.2 User seems not be logged anymore. When going in versions in 5.1 branch user stays logged. When going back from 5.2 to 5.1 user is logged again.

At the moment you should probably create issue here https://github.com/laravel/framework/issues and wait for response

EDIT2

It seems it's official and expected behaviour because to upgrade guide has been added:

Because of changes to the authentication system, any existing sessions will be invalidated when you upgrade to Laravel 5.2.