Logout Users from other devices

Hello Everybody,

Looking at the scenario in consideration, I have following observations:

1. Administrator selects n users to have their session expire on every device.
2. All the selected users when interact with the application are redirected to Login page.

Below are two problems that I am facing:

1. All the selected users are not able to login again using their current passwords.
2. Once an administrator selects n users for their session timeout, he himself is logged out.

Below is my implementation code:

public function expire_sessions(Request $request) {
        $userIds = $request->UserIDs;
        $loggedInUser = Auth::user()->id;
        foreach ($userIds as $key => $user) {
            $user = User::find($user);
            $user->force_login_status = 1;
            $user->force_login_by_user_id = $loggedInUser;
            $user->save();
            Auth::setUser($user)->logoutOtherDevices($user->password);
        }
        return response()->json(['status' => true , 'message' => 'User(s) sessions expired']);
    }

I want to know whether logoutOtherDevices() function erases the users' passwords as well? Why the current user (Administrator) gets logout?

Am I following the correct convention?

There are two problems with your code. First of all logoutOtherDevices() takes user's password as first argument and does that for a good reason. This function invalidates other sessions simply by creating new password hash and it needs current password to do so. If you provide any other string, user's password will be changed to that string. Right now you are passing $user->passwordbut this is not current user's password. It's current hash so you are pretty much changing every user's password.

And current users (Administrator) gets logged out because in order to logout from other devices, you set another user in auth() guard. After the loop you need to manually login admin again. It's easy because you have his ID, so all you have to do is put this code after foreach loop: Auth::loginUsingId($loggedInUser);.

In general I don't think it's the right way to do this, at least if you don't want to reset their passwords. The best way is (at least in my opinion) to delete remember_token for all selected users and also clear their sessions. In order to do that, you need to move sessions to the database. Then you can delete all session for every selected user.

I want to know whether logoutOtherDevices() function erases the users' passwords as well?

It does not erase the password, but replaces it with new one that you've provided to logoutOtherDevices method.

Why the current user (Administrator) gets logout?

Probably cause you missed something. You can always log that user in with Auth::loginUsingID($loggedInUser) until you figure out what you did wrong.

This might help you get better understanding of what is going on. See how password is always different from newPass and once you refresh password gets the value of newPass while newPass gets a new value.

Route::get('/test', function () {
    $user = \App\User::first();
    $password = $user->password;
    auth()->login($user);
    auth()->setUser($user)->logoutOtherDevices('something');
    $authId = auth()->user()->id;
    $newPass = auth()->user()->getAuthPassword();

    return compact('authId', 'password', 'newPass');
});

Thanks a lot for some more information in this regard.

@zahidnazirkhan There is a Laracasts video for doing this here:

https://laracasts.com/series/whats-new-in-laravel-5-6/episodes/7

@fylzero Thankyou for sharing. Got a bit more understanding in this regard.