More robust

app/Controllers/AuthController.php

@@ -4,15 +4,19 @@ declare(strict_types=1);
 
 class AuthController extends BaseController
 {
+    public function beforeRoute(): void
+    {
+        $this->disableCache();
+    }
+
     public function show(): void
     {
         if ($this->currentUser() !== null) {
-            $this->f3->reroute($this->f3->alias('dashboard'));
+            $this->f3->reroute('@dashboard');
             return;
         }
 
-        $this->f3->expire(0);
-        $this->render('auth/login.html', ['pageTitle' => 'Connexion']);
+        $this->renderSession('auth/login.html', ['pageTitle' => 'Connexion'], true);
     }
 
     public function login(): void
@@ -26,22 +30,24 @@ class AuthController extends BaseController
         if ($user === null || !password_verify($password, $user['password_hash'])) {
             usleep(1_500_000); // 1,5 s — ralentit le brute-force
             $this->flash('error', 'Identifiants invalides.');
-            $this->f3->reroute($this->f3->alias('login'));
+            $this->f3->reroute('@login');
             return;
         }
 
         session_regenerate_id(true);
         $this->f3->set('SESSION.user_id', $user['id']);
+        $this->refreshCsrfToken();
         $this->flash('success', 'Connexion réussie.');
-        $this->f3->reroute($this->f3->alias('dashboard'));
+        $this->f3->reroute('@dashboard');
     }
 
     public function logout(): void
     {
         $this->verifyCsrf();
         $this->f3->clear('SESSION.user_id');
+        $this->f3->clear('SESSION.csrf_token');
         session_regenerate_id(true);
         $this->flash('success', 'Déconnexion effectuée.');
-        $this->f3->reroute($this->f3->alias('home'));
+        $this->f3->reroute('@login');
     }
 }