Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
How can we force logout a user?
I was thinking about storing a session in the database and cache it for few minutes. Then on each page check if the session still exists.
Or is it possible to pass through an user_id on the Auth::logout() facade?
I haven't tried it but if the session_id is empty in the database, it will probably log out the user automatically. Try emptying the row and see what happens! (dev environment obviously!)
Auth::logout() selects the authenticated user so you can't really pass another user ID.
@Ruffles Yes that worked! Is there any need to add an user_id column to the session table? So when a user got banned I simply can lookup any session he has and delete it? Or can I access the user_id using the session facade? Probably not.
I use middleware for this that checks the current user account for active status. If a user account is set to inactive then they are logged out before their next request is processed.
Illuminate\Auth\Guard uses this method to log the user out:
/**
* Refresh the "remember me" token for the user.
*
* @param \Illuminate\Contracts\Auth\Authenticatable $user
* @return void
*/
protected function refreshRememberToken(UserContract $user)
{
$user->setRememberToken($token = Str::random(60));
$this->provider->updateRememberToken($user, $token);
}
I guess you could just reproduce those two lines of code with your own User object and they will be "logged out" as far as the server is considered, meaning the next request they send will fail the authenticated middleware if required.
If you also want to fire the logout event, here is how the same class does that:
$this->events->fire('auth.logout', [$user]);
So you can just use the global helper function event:
event('auth.logout', [$user]);
Setting up middleware sounds like to right choice.
Although I have set up the middleware, but I am unable to fire the event.
Undefined property: App\Http\Middleware\MustBeActive::$events
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Console\Scheduling\Event;
class MustBeActive
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$user = $request->user();
if ($user && $user->isActive())
{
return $next($request);
}
$this->events->fire('auth.logout', [$user]);
}
}
@BrianVeltman The error message is telling exactly what the problem is:
Undefined property: App\Http\Middleware\MustBeActive::$events
You’re trying to use $this->events, but that doesn’t exist. You’ll need to re-write it as Event::fire('auth.logout', [$user]) instead.
Also don’t forget to import the Event façade at the top of your file.
@martinbean you were right thanks :)
Now it seems that the event auth.logout does nothing. The user is still logged in after firing the event.
I don't use those events but perhaps the auth.logout event is fired by the logout process as opposed to causing the logout to occur?
Anyway, I've just used something like this in the appropriate middleware (after checking that a user is logged in):
if (!$this->permission->check('isActive')) {
$this->auth->logout();
flash('Invalid credentials, please login to continue');
return redirect()->route('login');
}
You Can Try and Use an Ajax Call to Auth Logout a User let me know if it fits your needs
@masterpowers are you still active? I have question on Auth::logout();
Auth::logout(); will logout the current user right? but what if a specific user?
I passed a user id using ajax and what i want is to logout that user id.. do you have any ideas?
patulong naman tsong.
what
Please or to participate in this conversation.