I m using Laravel 8 - Jetstream for Authentification and i set a session variable : session(['isAdmin'=>'true']) on login :
//app\Providers\JetstreamServiceProvider.php
...
public function boot()
{
...
Fortify::authenticateUsing(function(LoginRequest $request){
...
//verifications
session(['isAdmin'=>'true'])
...
}
If The user Logs out in Jetstream (using POST request to /logout) the session('isAdmin') is null.
The problem is what if the user didn't Log out but the session expired , because then the session('isAdmin') will be null but the user is still logged in (he didn't use the POST request to /logout ) .
I can't test this because i don't know if the session variables expire or no in Laravel maybe it's using database for sessions …
Any informations on how does the Laravel session works with the Authentification system in Jetstream ?
on /logout the user gets logged out from the Application and user session reset and hence all session data destroy. like in your case session('isAdmin') is set to null.
In case of session expire and user is not logged out using post request to /logout, then the session will also reset on next request(post session expire). In this case user will be logged out(as session expired) and session data will be destroyed. This works in same way for file and database driver for session.
Related
Using Laravel 9 with Breeze(Auth Scaffolding) to make an admin panel. Throughout my views, I have a
auth()->user()->name
call that returns the name of the logged in user and works as it should.
Problem is - If I leave the page sitting for a while and the session expires, it doesn't route me to login, it gives me the following error:
Attempt to read property "username" on null
Error message
Am I missing something? My routes are all wrapped in middleware => auth group.
After this happens, I manually type logout in the url which logs me out and return a login BUT I always have to login twice. The first login does nothing, no error, no message.
I'm getting a page expired error (er.419) when I try to login after a previous logout.
I'm working on auth pages for SPA made with Laravel and Vue.js. It works well on first login but after a logout it shows an error submitting the second one login.
I think the issue is the CSRF sent previously and (maybe) expired after logout.
My work flow is this:
login component has hidden form sent as POST method to Laravel API having the csfr-token value from an HTML META TAG set up when app is created by Laravel template:
meta name="login-status" content="{{ Auth::check() }}"
The logout is done by a fetch request in a vue component. So no refresh is done.
Thanks for any suggestion!
From the laravel docs (https://laravel.com/docs/5.8/csrf#csrf-introduction):
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application.
When you logout, you are invalidating your current session - which means that the csrf token you have cached in your meta becomes invalid.
Solution 1
Refresh the page when you successfully logout, so php can output the active csrf token into your meta tag. For example:
fetch('/api/logout', {
method: 'post'
}).then(() => {
window.location.href = '/login';
});
Solution 2
Consider using the api route middleware group. Doing so will mean the application will not trigger the App\Http\Middleware\VerifyCsrfToken middleware. Bear in mind though that you will no longer have access to the session, so you'll need to look into stateless authentication techniques such as via JWT's.
Laravel themselves even provide a package for authenticating api's. (https://laravel.com/docs/5.8/passport)
I am using Laravel 5.7. For security reasons, I set my laravel application to automatically logout after one hour inactivity. But I want the user log back in the same page before they got kicked out by the system. I try to use Session, but it only store previous url which is the login page url. How can I retrieve that URL before user got automatically logout?
All you need to do is put this in your logout function.
session(['returnUrl' => url()->previous()]);
And then on login function, redirect user to session('returnUrl') and delete session data with session()->forget('returnUrl')
Use this in your login controller
url()->previous()
How do I check if the session has expired in laravel 5.4.
If the session has expired I want to show a message.
You can use the following
if(Auth::check()) {
}
Laravel will Create Session For every user no matter the User is Logged in or not. It will create Token for Specific Session. You can check if the Token Exist or not.
You can check if the token is there or not by the function Session::get('_token');.
But if you are asking if You want to check if User's Session is Expired, You can use Auth::check(). It will return if the Session is Expired or not for the specific user.
For example, If the user is Logged in, It will return True or False. But you can't check if overall Session is Expired or not Because Laravel will create and Store Session For every Single Visit No Matter if the user is Authenticated or not.
Let me know if you have any More Questions or Queries regarding Laravel Sessions. Let me know if it Helps!
I use tank_auth to authenticate and log users in to my application developed using Codeigniter. I noticed that when the session expires after the default period, the user remains logged in. In tank_auth's login() function,
if ($this->tank_auth->is_logged_in())
check at the very beginning always returns true.
I'd like to log the user out when the session expires. Please could you point me in the right direction to implement this?
Thanks!
Mmiz