From 51f0e6285bfd87e4d06ed6db37ae8ae45efb175a Mon Sep 17 00:00:00 2001
From: Darko Gjorgjijoski <dg@darkog.com>
Date: Fri, 3 Apr 2026 23:52:07 +0200
Subject: [PATCH] Fix session not invalidated on logout causing CSRF mismatch
 on re-login

The web logout route called Auth::guard('web')->logout() but didn't
invalidate the session or regenerate the CSRF token. The browser kept
sending the old session cookie, causing CSRF token mismatch errors
when logging in as a different user.
---
 routes/web.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/routes/web.php b/routes/web.php
index 21a03165..75c72962 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -32,6 +32,9 @@ Route::post('login', [LoginController::class, 'login']);
 
 Route::post('auth/logout', function () {
     Auth::guard('web')->logout();
+
+    request()->session()->invalidate();
+    request()->session()->regenerateToken();
 });
 
 // Customer auth