Remember me cookie is not working as expected.

i have set a laravel 8 project where i have made a custom logincontroller for custom guard. I am taking email and password from user. and have used AuthenticatesUsers trait from laravel ui package (with tweaks in my logincontroller ofcourse). The login is working fine. and i have set remeber_me cookie. I am getting that cookie in browser.

but now. i have set my session expiry time to 1 minute( just for testing how remember_me cookie works, later i will make it longer). I am seeing that when my session expires then i am autmatically logged out. I seems that remember_me cookie doesn't work here..

I still don't understand remember_me cookie functionality. or i am doing something wrong.

Here is my LoginController code.

    public function validateLogin(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'email' => ['required', 'string', 'max:255'],
            'password' => ['required', 'string', 'min:8']
        ]);

        if ($validator->fails()) {
            $errors = $validator->errors()->toArray();
            $message = reset($errors)[0];

            return back()->with('error', $message);
        }
    }

    protected function credentials(Request $request)
    {
        return $request->only('email', 'password');
    }

    public function redirectPath()
    {
        if (method_exists($this, 'redirectTo')) {
            return $this->redirectTo();
        }

        return property_exists($this, 'redirectTo') ? $this->redirectTo : '/home';
    }

    public function login(Request $request)
    {
        $this->validateLogin($request);

        /**
         * this file is added here for throttling the user's attempt for more logins. 
         */
        if (
            method_exists($this, 'hasTooManyLoginAttempts') &&
            $this->hasTooManyLoginAttempts($request)
        ) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        if ($this->attemptLogin($request)) {
            return $this->sendLoginResponse($request);
        }

        $this->incrementLoginAttempts($request);

        return redirect()->route('models.login')->with('error', 'incorrect credentials');
    }

    protected function sendLoginResponse(Request $request)
    {
        if ($request->has('remember')) {
            $customRememberMeTimeInMinutes = 365 * 24 * 60;
            $rememberTokenCookieKey = Auth::guard('models-web')->getRecallerName();
            Cookie::queue($rememberTokenCookieKey, Cookie::get($rememberTokenCookieKey), $customRememberMeTimeInMinutes);
        } else {
            $this->guard()->user()->setRememberToken(null);
        }

        $request->session()->regenerate();

        $this->clearLoginAttempts($request);
        if ($response = $this->authenticated($request, $this->guard()->user())) {
            return $response;
        }
        // ddd($this->guard()->user());

        return $request->wantsJson()
            ? new JsonResponse([], 204)
            : redirect()->intended($this->redirectPath());
    }

    public function guard()
    {
        return Auth::guard('models-web');
    }

in .env file SESSION_DRIVER is set to file. and SESSION_LIFETIME is 1 minutes.

rajeshtva

5 years ago

Level 4

turned out that i was doing everything right except the code in the sendLoginResponse(Request $request). I don't know much about this code but this code was supposed to set remember cookie expiration time to 1 year. may be it does that. but it was definitely causing issues. on commenting out these lines, the whole login response works just fine.

for new comers like me. that i am. I explain how whole remember cookie works.

when user logs in with remember me enabled then then user's login credentials passes through Auth::attemp($this->credentials(), $remember), here $remember variable is a flag that tells whether user want to be remembered or not. if $remember variable is set then the server sends a remember cookie along with laravel_session cookie and xsrf cookie. if you have delete cookie enabled in your browser( like in my firefox ) then you will see expiration time of cookie as session. but when you have delete cookie enabled disable, then you will see expiration time of remember cookie as 5 years. so the whole point is to save this cookie in browser and if the user closes the browser and the browser doesn't delete this cookie. then if the user visits that your site again then with request, this cookie also goes to the server. the server authenticates this cookie so the server automatically login the user. the cookie remains validated till the user doesn't logged out.

Please or to participate in this conversation.