Securing Sensitive Actions with Password Confirmation in Laravel
Security is a top priority in any web application, especially when performing critical actions like updating credentials or deleting accounts. Laravel provides an efficient way to enhance security through password confirmation. This feature ensures that only authorised users can execute sensitive operations, even if they remain logged in.
Problem: Unauthorised Access Risks
Web applications often keep users logged in for extended periods. However, this can be a security risk if someone gains unauthorised access to a logged-in session—whether through a shared device, session hijacking, or unattended access. In such cases, a malicious user could perform critical actions like changing account credentials or deleting data.
To mitigate this, Laravel provides password confirmation, requiring users to re-authenticate before executing sensitive operations.
Solution: Implementing Password Confirmation
Laravel’s built-in password confirmation mechanism helps mitigate unauthorized access risks by requiring users to re-enter their password before performing sensitive actions. Below is the implementation process:
1. Creating the Password Confirmation Route
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | use Illuminate\Http\Request; use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Redirect; Route::post('/confirm-password', function (Request $request) { if (!Hash::check($request->password, $request->user()->password)) { return back()->withErrors([ 'password' => ['The provided password does not match our records.'] ]); } $request->session()->passwordConfirmed(); return redirect()->intended(); })->middleware(['auth', 'throttle:6,1']); |
2. Breaking Down the Implementation
- The POST method triggers the confirmation request.
- Hash::check() verifies the entered password against the stored one.
- If incorrect, the user is redirected with an error message.
- If correct, passwordConfirmed() marks the session as validated.
- The auth middleware ensures that only authenticated users access this route.
- throttle:6,1 limits login attempts to prevent brute-force attacks.
3. Protecting Sensitive Routes
Apply the password.confirm middleware to any sensitive route:
| 1 2 3 4 5 | Route::post('/sensitive-action', function () { // Perform sensitive action })->middleware(['auth', 'password.confirm']); |
If a user has not recently confirmed their password, Laravel will redirect them to the password confirmation page.
4. Example: Deleting an Account
| 1 2 3 4 5 6 7 8 9 | Route::delete('/account', function (Request $request) { $request->user()->delete(); Auth::logout(); return redirect('/')->with('status', 'Your account has been deleted.'); })->middleware(['auth', 'password.confirm']); |
How It Works:
Requires password confirmation before deletion.
Deletes the user’s account.
Logs the user out and redirects them to the homepage.
5. Customizing the Confirmation Window
The default session validation time is three hours. Modify this in config/auth.php:
‘password_timeout’ => 10800, // 10800 seconds = 3 hours
Adjust this value based on your security preferences.
Conclusion
Password confirmation in Laravel enhances security by preventing unauthorised access to critical actions. By implementing this feature, developers can ensure that only verified users execute sensitive operations, strengthening overall application security and user trust.
For more information, contact 2Hats Logic.
Recent help desk articles
Greetings! I'm Aneesh Sreedharan, CEO of 2Hats Logic Solutions. At 2Hats Logic Solutions, we are dedicated to providing technical expertise and resolving your concerns in the world of technology. Our blog page serves as a resource where we share insights and experiences, offering valuable perspectives on your queries.
