Fix issue #162

migrations/2017_02_11_000000_create_users_table.php

@@ -44,6 +44,14 @@ public function up()
                 'can_be_impersonated' => 1,
                 'created_at' => Carbon::now()->toDateTimeString(),
             ],
+            [
+                'name'       => 'Different Password User',
+                'email'      => 'different-password-user@test.rocks',
+                'password'   => bcrypt('different-password'),
+                'is_admin'   => 0,
+                'can_be_impersonated' => 1,
+                'created_at' => Carbon::now()->toDateTimeString(),
+            ],
             [
                 'name'       => 'SuperAdmin',
                 'email'      => 'superadmin@test.rocks',

phpunit.xml

@@ -17,6 +17,7 @@
             <file>tests/BladeDirectivesTest.php</file>
             <file>tests/RoutesTest.php</file>
             <file>tests/MiddlewareProtectFromImpersonationTest.php</file>
+            <file>tests/SessionGuardTest.php</file>
         </testsuite>
     </testsuites>
     <filter>

src/Guard/SessionGuard.php

@@ -17,6 +17,8 @@ public function quietLogin(Authenticatable $user)
     {
         $this->updateSession($user->getAuthIdentifier());
 
+        $this->updatePasswordHashes($user);
+
         $this->setUser($user);
     }
 
@@ -35,4 +37,21 @@ public function quietLogout()
 
         $this->loggedOut = true;
     }
+
+    /**
+     * Removes the stored password hashes from the session.
+     *
+     * @param   void
+     * @return  void
+     */
+    protected function updatePasswordHashes(Authenticatable $user)
+    {
+        // Sort out password hashes stored in session
+        foreach (array_keys(config('auth.guards')) as $guard) {
+            $hashName = 'password_hash_' . $guard;
+            if ($this->session->has($hashName)) {
+                $this->session->put($hashName, $user->getAuthPassword());
+            }
+        }
+    }
 }

tests/SessionGuardTest.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace Lab404\Tests;
+
+use Illuminate\Support\Facades\Hash;
+use Lab404\Tests\Stubs\Models\User;
+
+class SessionGuardTest extends TestCase
+{
+    /** @var String $guard */
+    private $guard;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+        $this->guard = 'web';
+    }
+
+    /** @test */
+    public function it_updates_password_hash()
+    {
+        $hashName = 'password_hash_' . $this->guard;
+        $this->app['auth']->guard($this->guard)->loginUsingId('admin@test.rocks');
+        $startHash = Hash::make(auth()->user()->password);
+        $this->app['auth']->guard($this->guard)->getSession()->put($hashName, $startHash);
+        $this->app['auth']->guard($this->guard)->quietLogout();
+        $this->app['auth']->guard($this->guard)->quietLogin(
+            User::where('email', 'different-password-user@test.rocks')->first()
+        );
+        $this->assertNotEquals($startHash, $this->app['auth']->guard($this->guard)->getSession()->get($hashName));
+    }
+}