Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

65-99's avatar
65-99
OP
2 years ago
Level 1

Force logout specific user in laravel 10

Hi i know there is answer to this questions on forum but they are outdated and they aren't working on laravel 10. Im using laravel 10 and laravel brezze and i must force logout of this user

$user = User::find($userid);

i was thinking about using code like this

/**

  • Destroy an authenticated session. */ public function destroy(Request $request): RedirectResponse { Auth::guard('web')->logout();

    $request->session()->invalidate();

    $request->session()->regenerateToken();

    return redirect('/'); } from AuthenticatedSessionController

But i don't know how to edit this code to wrok in my code

1 like
2 replies
JussiMannisto's avatar

If you're using the database driver for sessions, it's simple:

DB::table('sessions')->where('user_id', $user->id)->delete();

With the file driver it's harder. There's an Auth::logoutOtherDevices() method, but it doesn't work here because it requires the user's (unhashed) password. It works by rehashing their password, which makes other sessions fail the auth.session middleware check, effectively invalidating those sessions.

You might be tempted to add a boolean flag to the user model (e.g. require_reauth) which would be checked in a middleware. It would force a new login and get cleared after a successful login. But that won't work if the user is logged in on multiple devices.

You'd have to do a combination of those two methods: require a new login using the flag, then invalidate other sessions during the login with the Auth::logoutOtherDevices() method while you still have the user's password. Also you'd need to use the auth.session middleware in your routes.

I use DB sessions for reasons like this. If someone knows of a more convenient way with file sessions, please share.

1 like
potsky's avatar

You can just invalidate all sessions by setting an incorrect password. I use this on Laravel 11:

    public static function logoutBrowserSessions(User $user): void
    {
        $name = config('auth.defaults.guard');

        app('auth')->createSessionDriver(
            $name,
            [
                "driver" => \config("auth.guards.$name.driver"),
                "provider" => \config("auth.guards.$name.provider"),
            ]
        )
            ->getProvider()
            ->rehashPasswordIfRequired($user, ['password' => Str::random()], force: true);
    }
1 like

Please or to participate in this conversation.