Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi all.
I'm exploring laravel to see if I want to use it for a new project. I'm in the process of going through the documentation and writing a simple demo app to get acquainted. While creating a user management interface, I noticed some strange behavior. I created a user controller to handle user edit actions, and a POST routes for edit actions with 'auth' filters to ensure you can only access those routes when authenticated. That all worked fine, until I left my browser opened one day to my user edit form, and tried deleting a user with my session expired. I thought this was good chance to test out the auth filter. As expected, it redirected me to the login form. However, instead of authenticating I closed out the browser, relaunched, authenticated, and started browsing around my site. When I listed the users I noticed my that user I deleted (while not authenticated) was deleted.
I did further testing to confirm this. What seems to be happening is there must be some session remembrance of the action I did while NOT authenticated, such that when I did authenticate (regardless of what page I'm accessing), that action then processes as soon as I log in.
I can understand this as a desirable thing if you are accessing a page when your session expires, so that you get redirected to login first, and then back, but that is not what I'm talking about there. I'm performing a request while not authenticated, aborting, and then starting a whole new request for another part of the site, authenticating, and then my aborted action get's processed. Hopefully that makes sense.
Does anyone have an idea for what I can do to correct this behavior without writing some custom filters? Surely this isn't intended default behavior. Just to point out, I'm doing my best to use out of the box features as much as possible for the demo in order to learn the framework.
Thanks! Adam
Hi Adam,
Are you deleting users from a GET request instead of a POST? If you are using the provided auth controller, it will redirect to the intended page automatically via a GET request or fallback to another page if there wasn't an intended page.
If your session expired and you went to /delete-me, you would be redirected to the login page, and /delete-me is now the intended page, so as soon as you login, you will be automatically sent to /delete-me.
Thanks for you reply. I'm using both POST and GET for certain things.
I solved my issue. My problem was multi-faceted. First off, one of my POST routes was somehow missing my auth filter which could have sworn I checked. Second, the GET routes were doing exactly what you say, although differently than I expected which was causing my confusion.
To clarify: I dug through the laravel code and saw exactly how it works:
That is all great, but the problem with that is the lifespan of 'url.intended'. I contend that it should only last for one HTTP request action and then be destroyed. The fact that it persist for the life of your session is what was throwing me off. Even though I seemingly aborted that action which required authentication by starting a new request at another path, that 'url.intended' session variable persisted such that when I did finally log in it executed my stored GET request, which I did not want.
I worked around this by modifying the default 'auth' filter to accept a parameter, which will toggle between doing a Redirect::guest vs Redirect:to. That way I can turn the 'url.intended' functionality on/off for various routes as desired.
Please or to participate in this conversation.