i'm using sanctum to authenticate a spa application. using default guards and password providers. There is no problem on login in, or user register. everything work well. The problem is when user logged in to an account and logout, then try to login to another account the AuthenticateSession middleware force user to logout. But when user refresh the page and try logging in again, every thing work file. this problem happen if user try to reset his password and login again.
when i remove this middleware every thing work. i debugged and figured these:
when user try to login after logout, login will be successful and $request->user() return user info. but AuthenticateSession middleware compare the user password and session password and they are not equal for some reason! in fact the session password is wrong. and then middleware flush the session and logout the user.
if you refresh the page and try again they are same and work file.
this is logout method:
Auth::guard('web')->logout();
if ($request->hasSession()) {
$request->session()->flush();
$request->session()->regenerateToken();
}
This problem happened because I was using my logout route inside auth-sanctum middleware.
The problem was fixed by moving out the /logout route from auth-sanctum middleware.