From bf98fa0a16d7b09087c04147e2a7c39ce8d019fc Mon Sep 17 00:00:00 2001
From: SoftAppStudio <dev@softappstudio.com>
Date: Fri, 30 Jan 2026 18:20:58 -0500
Subject: [PATCH] Added password hash to session for enhanced security

Stores password hash in the session to improve security during authentication.

This enhances the authentication process by verifying the password hash stored in the session against the user's current password, adding an extra layer of security against session hijacking and unauthorized access.
---
 classes/SessionGuard.php                |  5 +++++
 classes/sessionguard/HasPersistence.php | 16 ++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/classes/SessionGuard.php b/classes/SessionGuard.php
index 779b428e..9f555843 100644
--- a/classes/SessionGuard.php
+++ b/classes/SessionGuard.php
@@ -83,6 +83,8 @@ public function loginQuietly(Authenticatable $user)
     {
         $this->updatePersistSession($user);
 
+        $this->updatePasswordHashSession($user);
+
         $this->updateSession($user->getAuthIdentifier());
 
         $this->setUser($user);
@@ -130,6 +132,8 @@ protected function clearUserDataFromStorage()
     {
         $this->session->remove($this->getPersistCodeName());
 
+        $this->session->remove($this->getPasswordHashName());
+
         parent::clearUserDataFromStorage();
     }
 
@@ -148,4 +152,5 @@ public function getRecallerName()
     {
         return 'user_auth';
     }
+
 }
diff --git a/classes/sessionguard/HasPersistence.php b/classes/sessionguard/HasPersistence.php
index 2430e469..885bac2c 100644
--- a/classes/sessionguard/HasPersistence.php
+++ b/classes/sessionguard/HasPersistence.php
@@ -49,6 +49,14 @@ protected function updatePersistSession(User $user)
         return $this->session->put($this->getPersistCodeName(), $user->getPersistCode());
     }
 
+    /**
+     * updatePasswordHashSession
+     */
+    protected function updatePasswordHashSession(User $user)
+    {
+        return $this->session->put($this->getPasswordHashName(), $user->getAuthPassword());
+    }
+
     /**
      * hasValidPersistCode
      */
@@ -64,4 +72,12 @@ public function getPersistCodeName()
     {
         return 'user_persist_code';
     }
+
+    /**
+     * getPasswordHashName gets the name of the session used to store the password
+     */
+    public function getPasswordHashName()
+    {
+        return 'password_hash_' . $this->name;
+    }
 }