---
title: Re-authenticate Before Critical Changes
impact: MEDIUM
impactDescription: prevents unauthorized critical operations in case of session hijacking
tags: authentication, critical, reauthentication, security, php
---

## Re-authenticate Before Critical Changes

For critical operations such as changing passwords, updating contact emails, or deleting an account, a valid session alone is not enough. You must require the user to provide their current password or a 2FA code to confirm the action.

**Incorrect (no confirmation for critical actions):**

```php
// VULNERABLE: Direct deletion without confirming identity
public function deleteAccount(Request $request) {
    $user = Auth::user();
    $user->delete();
    return response()->json(['status' => 'success']);
}
```

**Correct (requiring password confirmation):**

```php
public function deleteAccount(Request $request) {
    $request->validate([
        'current_password' => 'required',
    ]);

    $user = Auth::user();

    // 1. Manually verify the current password
    if (!Hash::check($request->current_password, $user->password)) {
        throw ValidationException::withMessages([
            'current_password' => ['The provided password does not match our records.'],
        ]);
    }

    // 2. Perform the critical action
    $user->delete();

    // 3. Log security event
    Log::warning("User account deleted: {$user->email}");

    return response()->json(['status' => 'success']);
}

// 2FA Verification example
public function updateEmail(Request $request) {
    $request->validate(['email' => 'required|email', 'otp' => 'required']);
    
    if (!TwoFactor::verify($request->otp)) {
        return back()->withError('Invalid 2FA code.');
    }
    
    // ...
}
```

**Critical actions that MUST require re-authentication:**
- Changing the account password.
- Updating the primary email address.
- Deleting the account.
- Disabling 2FA or changing security settings.
- Managing high-value payment methods or withdrawal addresses.

**Why is this necessary?**
If a user leaves their computer unlocked or their session cookie is stolen, the attacker can hijack the session. Requiring the password for critical changes creates a vital final barrier that prevents the attacker from locking out the real user or causing permanent data loss.

**Tools:** Laravel `password.confirm`, `Hash::check`, manual code review