Session ID keeps regenerating (for routes that are protected via auth.required middleware)

[patrickvuarnoz]

I realized that with every request the session id gets regenerated. This could be considered a security feature but it is problematic if the server needs to handle parallel requests from the same session.

I tried to backtrack the cause of this and it looks like the following is happening:

• Leaf\Auth\User::__construct() always calls session_regenerate_id()
• Leaf\Auth::user() calls new User()
• A closure seems to call auth()->user(). To me it looks like the auth.required middleware is doing this. For routes that are not protected the session regeneration does not happen.

The whole session starting and regeneration code is in the wrong place. It is executed every time the Auth\User is constructed but it should only happen when the user logs in or registers (and some other), i.e. it should happen in Auth::login(), Auth::register() (and some other).