how do you handle a user when their session timesout in laravel 5

For not losing any data you can use this package: https://github.com/GeneaLabs/laravel-caffeine

In general I either set a higher session timeout or don't do anything at all.

thx bobby , when you say 'don't do anything at all ' really? the user turns into unauthenticated guest then but is in the app and so if clicks on anything they get a massive error page.... i cant see how this is good? also thanks for the package idea but iam sure laravel must have a way to do this simply..ive read about middleware.. so in english code i want to:

when session times out

redirect user to login page

or

have a modal block the app until they log back in...

iam that desperate iam happy to use my redirect again if anyone can tell me the eloquent way to get the user back to the login page .

ive tried this but it just takes user back to home page not login page ( why?)

'<'meta http-equiv="refresh" content="5; {{ route('login') }}" '/>'

@BOBBYBOUWMANN - 'In general I either set a higher session timeout or don't do anything at all.'

am i over thinking this then? i use an app at work written in .net and i get error message every morning ..i think its crappy and this is a £1million turnover provider///

maybe iam over thinking it but i dont think so.

generally when i visit a site i know i will be logged OUT unless during log in i click on 'remember me' (laravel also has this option) this way users will stay logged in..

I think from the common standard set - its ok for people to be logged out, unless they are doing FORMS (and if they are taking 120 mins, then thats their fault) it shouldnt be a big problem.

One thing that popped into my mind is to have some kind of event broadcasting where you open a connection which interacts with the B/E to determine if user is logged in or not - and you then pop up a message.

In the same vain, you COULD have an ajax call (set timeout every 1 hour) that makes a dummy call (the controller func for this route returns if user is a guest or not) and then you can see if you are still logged in or not and again pop up a message or an error message...

In a workplace if a user leaves a computer they should log out anyway.

I can't speak for all State Governments but I know the state of Texas requires you to log out.

The only time I can understand a user not logging out is in a home environment. But if they are logging in to say A Bank application well they should log out.

Just my opinion.

I guess way back Yonder I learned the never trust a user lesson.

ive tried this but it just takes user back to home page not login page ( why?)

'<'meta http-equiv="refresh" content="5; {{ route('login') }}" '/>'

This is because you are still logged in. A user that is logged in cannot access the login page. The middleware RedirectIfAuthenticated is applied to the login route and will redirect the user to the home page.

As I wrote in response on another much older question, the only time the user will see an error is when there is a form on the page since that form will be protected by csrf.

All other pages that are wrapped in auth middleware will redirect to the login page if they are accessed and the user's session is timed out. Without making any other changes, the Auth logic will direct the user to the login page, let them login and then redirect them to wherever they were going when they clicked a link on the client.

So, two main problems. If you leave the user on the login page after they logout then the login form will become invalid after 2 hours. The way around this is to show the user a 'Login' button which then gets a fresh form for them to fill in.

The next problem is if they are active in the application on a form and then go away and leave their session to expire. One way around this issue is to have a meta refresh tag that redirects after 120 minutes to a page that does not include a form. The only small gotcha with this is that the user can happily be working away in another tab, and their session has not actually expired. Your meta refresh can redirect to a page that says 'This page has expired' with a link to return to the page they were on before. If their session has truly expired then they will be prompted to login before returning to the page they were trying to return to.

The other approach is to install caffeine. This effectively prevents the session expiring by continually prodding the server on the user's behalf.

The final consideration is ajax requests. If you use these, you need to be prepared to handle the session timing out. Your ajax request will fail and you will need to guide the user as to what they should do about it.

@JLRDW - thx,, i never trust a user either..thats why i want them auto logged out and returned to a home page so they know they have been logged out.. my logic must be all wrong... worrying as seems very logical to me that if a user leaves their pc for a while be sensible to return them to a safe page ( log back in page ) /

Redirect on session time out....? any ideas.

@SNAPEY - thanks for response, kind of appreciate it but still confused.

i still havent worked out why iam even asking this question and no one else seems to have an issue with leaving the user in the app logged out.. must be me.

i want my app to return users to the login page after the session times out.. i dont care if they go for lunch and forget..i want them to return to a home page asking them to log back in after...

did you answer that or have i overlooked it? thx

What about having a tiny iframe on every page which refreshes a page on your site every minute. That would keep them logged in anyway. The only other way I can think of is having a little vue component that runs an axios get on an authenticated route every few minutes and if it errors because of not being authenticated redirect the user

@BABONDAY - Besides what snapey said, I have seen where you can do a auth check and redirect once user attempts something. Sorry I didn't save that link.

@JLRDW - thanks. just to repeat my issue in case anyone has written anything to help me.

At moment user times out and nothing happens in the app... the user can even click a button or start a form..at that point the navbar changes to 'logged out' but still takes the user to the form...

have i set up something wrong or does no one see the issue that if the user doesnt notice the logged out status and fills a form out he will be pissed? thx

@CODINGISEASY - has anyone got an example website written in laravel so i can login and see how they handle it? does this site kick you out after a few hours?

i see questions like mine all over the web but dont understand the answers at all...

https://stackoverflow.com/questions/47274200/redirect-user-to-login-page-when-session-expires-in-laravel

https://laracasts.com/discuss/channels/laravel/redirect-to-login-page-after-session-timeout

Well two things here, one increase the session lifetime, two a user should be logging out or shouldn't be letting their session expire that is the user's fault.

You talk about losing data okay, back before laptops and batteries an industry with desktops, uses were taught to back up often, what if there was a power failure for example.

This is a clear-cut case where user needs some training in proper dealing with their data.

It's their data so tell him don't lose their data, and how not to lose it.

@JLRDW - No its nothing to do with a user not using the app correctly. its about user experience and it looking crappy.

please click on the links i supplied..others are asking the same question.

even if i can get a modal to appear with a button that returns the user back to the login page that would be good.

i still need to know how to active the modal on session time out...

Yes, I answered all your concerns

i want my app to return users to the login page after the session times out.

Well thats one problem. If you leave the user on a login page then they will see an error if they fill that form in after their session has expired.

Just use remember me

https://laravel.com/docs/5.8/authentication#remembering-users

They they can still logout if they wish.

@SNAPEY - i give up... screw the user.. or should i say screw the logged/timed out user fumbling around in my app...

Why?

My users don't have a bad experience.

See my latest reply above, have you seen remember me.

@JLRDW - maybe this is the way to go...never let them leave!! i wont be handling any personal details but i was hoping to learn how say banks log users out after say 10 minutes and return them to the login page again... thought it would be fun to learn this... i was very wrong.

@SNAPEY - what happens to your users if they leave their desks and return after session has timed out? what do they see? be interested to know for experience. thx

@BABONDAY - Have you tried t do an auth check with a redirect, try it.

@JLRDW - could i at least change the colour of the 'login' title in the navbar when session times out? maybe that would allow user to see they have logged out..

@JLRDW - any examples? thx

@BABONDAY - I am testing something now.

Okay, I changed session to one minute and let it expire. I just left off on one of my pages with pagination.

I then clicked on 3 for page 3, it took me back to the login page.

So the out of the box auth works correctly in laravel 5.8.

Also, you can have in your nav bar the logout link, which in this app redirects to login page also.

So read everything on the out of the box auth and setup auth middleware routes.

See last answer, also

If you make any changes:

run php artisan config:clear

many thanks for testing. i have version 5.7.13

' I then clicked on 3 for page 3, it took me back to the login page. '' this is what i would expect...

When i test with session set to 1 minute it does log user out but nothing in the nav bar changes , the user can then go to another page and thats when the navbar says they are logged out..

it doesnt redirect them back to the login page.

@SNAPEY - "This is because you are still logged in"

Many thanks for your logic help. I set the refresh to kick in after the user was logged out by the session and it took the user back to the login page....

meta http-equiv="refresh" content="7300; {{ route('login') }}"

i am sure laravel has a much nicer way of dealing with a user by using a class/ or event listener but this will have to do for now.

it doesnt redirect them back to the login page.

Surely the user can click the login button for themselves....

How do you know their intent. At that point they may want to exit out and go home for the day.