Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

aavisek's avatar

Session still maintained after the logout from the Azure AD authenitcated application

I have configured Azure AD Authentication in Laravel with Socialite Provider. I am facing one problem, when I logout from the portal, it redirects to the home page, but my session is still maintained when I am trying to login. It looks like the browser is caching the authentication tokens. I have tried Auth::logout() to log out the user from the application, and Session::flush() to remove all session data, including the Azure AD authentication session. Also I have tried the Session::regenerate() method before Session::flush() to regenerate the session ID and delete the old session data. This should prevent any cached authentication tokens from being reused. But still I am getting the problem. Here is my logout function.

public function adminLogout(Request $request) { auth()->logout(); // remove user credentials from session $request->session()->forget('user'); Session::regenerate(); // regenerate session ID //Flush Session Session::flush(); //Http::post('https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0');

    //Redirect to Login Page
    return redirect('/');
}

Can anyone please help here.

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

One possible solution is to add the following code to the logout function:

$request->session()->invalidate();
$request->session()->regenerateToken();

This will invalidate the session and generate a new CSRF token, which should prevent any cached authentication tokens from being reused.

Here is the updated logout function:

public function adminLogout(Request $request)
{
    auth()->logout();
    // remove user credentials from session
    $request->session()->forget('user');
    $request->session()->invalidate();
    $request->session()->regenerateToken();
    //Redirect to Login Page
    return redirect('/');
}

Note that the Session::regenerate() method is no longer needed, as invalidate() already regenerates the session ID.

Also, make sure to clear your browser cache and cookies to ensure that any cached authentication tokens are removed.

Please or to participate in this conversation.