Fix issue #162

phpunit.xml

@@ -17,6 +17,7 @@
             <file>tests/BladeDirectivesTest.php</file>
             <file>tests/RoutesTest.php</file>
             <file>tests/MiddlewareProtectFromImpersonationTest.php</file>
+            <file>tests/SessionGuardTest.php</file>
         </testsuite>
     </testsuites>
     <filter>

src/Guard/SessionGuard.php

@@ -31,8 +31,27 @@ public function quietLogout()
     {
         $this->clearUserDataFromStorage();
 
+        $this->clearPasswordHashes();
+
         $this->user = null;
 
         $this->loggedOut = true;
     }
+
+    /**
+     * Removes the stored password hashes from the session.
+     *
+     * @param   void
+     * @return  void
+     */
+    protected function clearPasswordHashes()
+    {
+        // Sort out password hashes stored in session
+        foreach (array_keys(config('auth.guards')) as $guard) {
+            $hashName = 'password_hash_' . $guard;
+            if ($this->session->has($hashName)) {
+                $this->session->remove($hashName);
+            }
+        }
+    }
 }

tests/SessionGuardTest.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Lab404\Tests;
+
+use Lab404\Tests\Stubs\Models\User;
+
+class SessionGuardTest extends TestCase
+{
+    /** @var String $guard */
+    private $guard;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+        $this->guard = 'web';
+    }
+
+    /** @test */
+    public function it_removes_password_hash_from_session()
+    {
+        $hashName = 'password_hash_' . $this->guard;
+        $this->app['auth']->guard($this->guard)->loginUsingId('[email protected]');
+        $this->app['auth']->guard($this->guard)->getSession()->put($hashName, 'test_hash');
+        $this->app['auth']->guard($this->guard)->quietLogout();
+        $this->assertFalse($this->app['auth']->guard($this->guard)->check());
+        $this->assertFalse($this->app['auth']->guard($this->guard)->getSession()->has($hashName));
+    }
+}