Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

camillele's avatar

Is it necessary to automatically logout users?

I has this scenario in my application.

There are 2 user roles.

1. Admin users - Logged in via web portal
2. API users - Logged in via API using Sanctum

I store both user information in the users table.

I have protected my Web routes using a admin role middleware. Same for the API routes.

If somehow an API user get access to Web admin login portal and place their login details, what should I do?

Currently I'm automatically logging out the user and returns a 403 response.

What is the best practice?

0 likes
2 replies
jlrdw's avatar

Business apps I would, casual apps some do and some don't, that's preference.

1 like
CorvS's avatar

@camillele You could tweak your admin role middlware a bit and redirect them to a page where they can download your app for example.

But as @jlrdw already said, there is no real "best practice" here. Ask the product owner or go with whatever feels best to you.

1 like

Please or to participate in this conversation.