Level 70
Did you try $request->session()->flush();?
1 like
Jul 25, 2016
14
Level 2
How to delete all session data, so that users must re-log in?
Hi everybody, I'm trying to figure out how to require all users to sign in when they visit my app again. Basically, remove the session data that keeps them logged in, so that they have to re-log in. I'm fine with removing all session data, but I can't figure out how to do this.
I've tried 3 things so far:
- Rebooting the server (thinking this may clear out any data stored in memory).
- Deleting all the files in the
storage/frameworks/sessionsdirectory. - Removing the data in the
remember_tokenfield of theuserstable.
However, NOTHING seems to be working, and the users are still logged in when the browser is re-opened!! :/
Here's my config/session.php:
<?php
return [
'driver' => env('SESSION_DRIVER', 'file'),
'lifetime' => 1,
'expire_on_close' => true,
'encrypt' => false,
'files' => storage_path('framework/sessions'),
'connection' => null,
'table' => 'sessions',
'lottery' => [2, 100],
'cookie' => 'laravel_session',
'path' => '/',
'domain' => null,
'secure' => false,
];
HELP!!
Level 2
@tisuchi, yes I did try that. It was one of the first things I tried, but the User is still logged in.
In my Controller:
public function flushSession(Request $request)
{
$request->session()->flush();
return redirect('/');
}
User stays logged in.
Level 29
Depending on the session driver you are using : Delete all session data (delete files/ clear session table) AND update the remember token on all user to null.
OR, add an extra field to user table, should_re_login and update your auth middleware to handle that.
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @param string|null $guard
* @return mixed
*/
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->guest()) {
if ($request->ajax() || $request->wantsJson()) {
return response('Unauthorized.', 401);
}
return redirect()->guest('login');
} else if (Auth::guard($guard)->user()->should_re_login) {
Auth::guard($guard)->logout();
if ($request->ajax() || $request->wantsJson()) {
return response('Unauthorized.', 401);
}
return redirect()->guest('login');
}
return $next($request);
}
Update AuthController
public function authenticated(Request $request, $user)
{
$user->should_re_login = false;
$user->save();
return redirect()->intended($this->redirectPath());
}
Then update user's should_re_login to true, whenever you wan't to force logout him.
2 likes
Level 2
Warning: if you regenerate your APP_KEY in your .env file (as prior reply suggests), I believe this will invalidate all hashed user passwords
If you change it by executing the command again, be aware that passwords saved with Hash::make() will no longer be valid.
http://laravel-recipes.com/recipes/283/generating-a-new-application-key
Level 67
@pionbrain Correct, along with anything that you used laravel encryption/decryption functions on.
Level 122
Is someone actually looking for this? (year old thread)
How about a new command to purge the sessions folder (assuming using file based sessions)
1 like
Level 5
Warning: if you regenerate your APP_KEY in your .env file (as prior reply suggests), I believe this will invalidate all hashed user passwords
This is not correct, quoting Taylor Otwell himself, "A common misconception I see online is that the APP_KEY is related to password hashing. It's not. It has nothing to do with password hashing at all. It's only used for encryption."
3 likes
Level 1
Thanks for that Curtis.
1 like
Level 54
somehow, regenerate the app key seem weird as it affect the entire system just because to forcing one or few users to relogin...
i see there is a setting in config/session.php, the default value is false, you may try to set it to true.
'expire_on_close' => false,
Level 2
This is a command that will do* the trick...
*I've only include File & DB drivers for now but adding others like Redis, Memcache etc will be easy enough too.
Usage:
$ php artisan session:flush will flush the current configured session drive (see your .env)
$php artisan session:flush --driver=all will flush all session drivers. This is useful if you've switched driver recently.
<?php
namespace App\Console\Commands;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Schema;
use Illuminate\Support\Facades\File;
class FlushSessions extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'session:flush {--driver=}';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Flush all user sessions';
/**
* Create a new command instance.
*
* @return void
*/
public function __construct()
{
parent::__construct();
}
/**
* Execute the console command.
*
* @return int
*/
public function handle()
{
$driver = $this->option('driver') ?: config('session.driver');
switch ($driver)
{
case 'database': $this->flushDB();
break;
case 'file': $this->flushFile();
break;
case 'all': $this->flushDB();
$this->flushFile();
break;
}
}
private function flushDB()
{
$table = config('session.table');
if (Schema::hasTable($table)) {
DB::table($table)->truncate();
error_log($table.' was truncated');
} else {
error_log($table.' table does not exist');
}
return;
}
private function flushFile()
{
$path = config('session.files');
if (File::exists($path)) {
$files = File::allFiles($path);
File::delete($files);
error_log( count($files).' sessions flushed');
} else {
error_log('check your session path exists');
}
}
}
2 likes
Level 1
@pSouper your flush file method was helpful, thanks a lot.
1 like
Level 1
Warning: Doing key:regenerate will invalidate all signatured URLs
Please or to participate in this conversation.