Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bipin_1611's avatar

Multiple Auth::Guard Check

I do have two authentication guard called web and back.

I have seperated routes into two middleware for the auth and backoffice.

When i login with web guard, still i am able to open routes which under the back guard.

Her is my auth.php


    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
        'back' => [
            'driver' => 'session',
            'provider' => 'backs',
        ],
        'api' => [
            'driver' => 'token',
            'provider' => 'users',
            'hash' => false,
        ],
    ],

'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\User::class,
        ],
        'backs' => [
            'driver' => 'eloquent',
            'model' => App\Backoffice\Backoffice::class,
        ],
    ],

heres, is my web.php

 Route::group(['middleware'=>'backoffice'], function(){
	Route::get('admin_users', 'AdminUserController@index');
        Route::get('add_users', 'AdminUserController@create');
});



Route::group(['middleware' =>'auth:web'], function () {
    Route::get('/home', 'HomeController@index')->name('home');
    Route::resource('agent','AgentController')->names('agent');
    Route::get('agent/destroy/{id}', 'AgentController@destroy');

});

here is middleware backoffice.php

public function handle($request, Closure $next, $guard = null)
    {
        if (Auth::guard('back')->check() == false && $guard != 'back') {
            $request->session()->flush();
            Auth::logout();
            return redirect('backoffice/login');
        }
        return $next($request);
    }

here is my model.

namespace App\Backoffice;

use Illuminate\Database\Eloquent\Model;
use Illuminate\Foundation\Auth\User as Authenticatable;


class Backoffice extends Authenticatable
{
    protected $table = 'users';

    protected $guard = 'back';

    protected $guarded =[];
}

please let me know if you need further information.

0 likes
9 replies
khaledw62's avatar

You should passing the guard as a auth middleware param like following auth:back

Route::group(['middleware'=>'auth:back'], function(){
	Route::get('admin_users', 'AdminUserController@index');
        Route::get('add_users', 'AdminUserController@create');
});



Route::group(['middleware' =>'auth:web'], function () {
    Route::get('/home', 'HomeController@index')->name('home');
    Route::resource('agent','AgentController')->names('agent');
    Route::get('agent/destroy/{id}', 'AgentController@destroy');

});
bipin_1611's avatar

i updated as per your suggestion, but still i am able to access route under the auth:back.

Any logic in the Middleware?

khaledw62's avatar

did you write any logic in the constructor of any of the used controller

bipin_1611's avatar

Yes, i did,

here is,

  public function __construct()
    {
        if (Auth::guard('back')->check() == false) {
            return redirect('backoffice/login');
        }
    }
khaledw62's avatar

Auth doesn't work on the constructor btw. Because it loads after the constructor

khaledw62's avatar

Okay remove this logic, and share with me the login logic for both guards

bipin_1611's avatar

I have used Authenticatable for the both auth guard.

that is why is it conflicting each other?

when i logged in with back it won't let me open any of routes under the default web guard.

here is loginController

$user_auth = Auth::guard('back')
                    ->attempt([
                        'email'=>$request->email,
                        'password'=>$request->password
                    ],
                        $request->remember
                    );
                if($user_auth) {
                    return redirect('backoffice/admin_users');
                } else {
                    if ($errors = $this->validateFields($fields)) {
                        return redirect()->route('login')->withErrors($errors);
                    }
                    $errors = 'Please Enter Valid Email ID or Password.';
                    return redirect('backoffice/login')->withErrors($errors);
                }
                if ($this->hasTooManyLoginAttempts($request)) {
                    $this->fireLockoutEvent($request);
                    return $this->sendLockoutResponse($request);
                }
khaledw62's avatar

sorry that i ask too many questions but would you show the logout logic for both of the guards ,Or you can share the two login controller

bipin_1611's avatar
bipin_1611
OP
5 years ago
Best Answer
Level 4

I found the where the issues is causing. It's Session not expiring.

When you use the your Custom Auth:Guard, on the Logout, you have to specify which guard logging out like this

Auth::guard('name')->logout();

on the Logout method.

Please or to participate in this conversation.