Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bt3's avatar
bt3
OP
4 years ago
Level 9

Session-based temporary users alongside normal users

Hey folks,

So I've got an app that does some series of financial calculations. In its current state, all of the generated records/ models, etc. that are used in the calculations "belong" to Users. This of course requires that someone registers for the app before I can show them outputs.

I've been asked to provide a way to see outputs without having to register. I think it's a fair ask as many use cases are short lived and the burden of registering prevents users from using the app altogether.

What I'd like to do is allow visitors to access the "backend" of my app as if they were a user, but only show them what they've created, as if they were a registered user. For the sake of argument, lets call is Scenarios and Scenarios->belongsTo(User::class)

I had two thoughts as how this might work:

1 - Since I don't want to change any of the actual logic of the app, I continue to use the User model for my "temporary" users. I add a column to the User model that tracks if a User is temporary, and make password nullable. When a scenario is created, I "login" the visitor to this "temporary" user just based on a dynamic URL with some uuid. This also works because then you can share a public URL that effectively "logs" you into this temp user that has access to the Scenario. I then log the last_login_date of users, and if a temp user hasn't had a login over some threshold, I purge the account.

This approach keeps most of my codebase the same, but merges "regular" users with "temporary" users in the same table.

...

2 - Another approach is to make Scenarios independent from Users. I could keep my logic that says if you're a logged in user, you can only see your Scenarios, but now Scenarios has no dependency on the User. So I'd add a uuid to the Scenario and allow it to be accessed via a unique URL. Since that Scenario doesn't belong to a User there's no auth needed, it's just a freely accessible URL, but this will require me to really vet the security/ access permissions on "personal" (non-public) Scenarios.

One downside to this approach is that I never really "remember" any temporary users (there is no session for that temp user), so if that visitor forgets the uuid / URL, then the Scenario will be somewhat lost.

...

I am not convinced either approach is perfect, but maybe someone has thought about this before?

0 likes
6 replies
Nakov's avatar

So I'll share my thoughts here on what I might do and based on what you said above.

I like the 2nd approach more and I would connect it to a single User which you can create, so all the scenarios will belong to one User, but they'll have their own separate uuid which you can return to the User once created and tell them to keep it if they want to see previous calculations. With this approach you can still maintain a session with that dummy user, and log the user in if the session expires given the uuid for the scenario.

Not sure if it makes sense, but I am just thinking out loud, hope it will give you a "new" direction.

bt3's avatar
bt3
OP
4 years ago
Level 9

If I do a single user and maintain a session, this effectively means I'm logging in every "visitor" as the same user. Not sure if that would trigger any warnings internally?

The other caveat with this approach is that a User can actually have multiple Scenarios, so if all "visitor" Scenarios belong to a single user, I'll need additional logic to make sure I don't try to render a massive list of all "visitor" scenarios to everyone...

webrobert's avatar

I think I ’d create temporary users and limit their movement with middleware. login them in on the fly. Makeup a password. Doesn’t matter. Once they go their session is over. If they want the benefit of being an actual user they have to register. And So during their session you have the opportunity to convert them to an actual user. “Register now to save this scenario.”

Then at an interval dump the temporary users… daily, monthly etc.

bt3's avatar
bt3
OP
4 years ago
Level 9

This is interesting, but if I'm "creating" the user with dummy email/password, how do I differentiate a "real" user from a dummy one? I don't recall if Laravel requires email to be unique (I think it does out of the box) and wouldn't want to be triggering "Welcome User!" emails to "temporary" users, so I'm back to using an additional column to denote them as such?

Your suggestion of middleware would presumably allow me to build that "check" of a real vs dummy user in across the app and show the upsell (register), etc.

jlrdw's avatar
jlrdw
4 years ago
Best Answer
Level 75

Probably easier to just have a route and controller for non-auth users to do the calcs..

Just suggestion.

webrobert's avatar

@bt3 even as I finished writing Im probably with @jlrdw. By the time you do all the work to hack a workaround for this. You could probably have remedied the belongs to user issue. Idk 🤷‍♂️

Anyhow on your reply you’d still have to mark them as temporary users somehow.

Please or to participate in this conversation.