Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

khanson's avatar

Session timeout not triggering auth logout event

I'm using 5.3 and I have a listener listening for when a user logs out. The listener is triggered when I log out manually, but not when the session times out or I close the browser.

Here's the set up for the event listening in my EventServiceProvider:

/**
     * The event listener mappings for the application.
     *
     * @var array
     */
    protected $listen = [
        'Illuminate\Auth\Events\Logout' => [
            'App\Listeners\UserLoggedOut',
        ],
    ];

And the listener itself:

namespace App\Listeners;

use App\Mail\RegistrationIncomplete;
use Illuminate\Auth\Events\Logout;
use Illuminate\Support\Facades\Mail;

class UserLoggedOut
{
    /**
     * Create the event listener.
     */
    public function __construct()
    {
        //
    }

    /**
     * Handle the event.
     *
     * @param  Logout  $event
     * @return void
     */
    public function handle(Logout $event)
    {
        // if the user hasn't completed registration, send them an email
        $user = $event->user;
        if ($user->ui_step < 5) {
            $incompleteRegistration = new RegistrationIncomplete($user);
            Mail::to($user)->send($incompleteRegistration);
        }

    }
}

Any thoughts?

0 likes
8 replies
Snapey's avatar

yep, not possible.

code only runs when there is a request. No request, no code execution.

Snapey's avatar

the answer is correct in so much as you could write a new session handler that notes whose session is being wiped when the garbage collector runs.

however, you have no idea when it will be called. it could be hours later and you would have no idea at what point the user left.

The best you could do is to use something fast like a redis store and then update a 'last access' value for each user at each and every request - probably via a middleware. Login upto last access is the user's session duration, after all, when the last page loads in the users browser you have no idea if they continue to view it for 30 minutes or just get up and walk away.

khanson's avatar

I see.

Thanks for walking me through it!

Grelav's avatar

You can use javascript to do that. Settimeout function to be active after the time you expect your session to die and redirect the user to another location

setTimeout(function(){

window.location = 'app/session_times_out' // example to your route.

},60000)
Snapey's avatar

@Grelav

active after the time you expect your session to die

in that browser tab... what if you are working happily in another tab?

Grelav's avatar

@Snapey It works.

try it yourself

setTimeout(function(){

    alert("Yeah It Works :)");
      
},15000);

Tested using FireFox 62.0.3 (64-bit)

Snapey's avatar

@grelav you are missing the point (not to mention that this is a year old question)

Javascript in one tab can think the user's session should have expired, but actually they are working on your site quite happily in another tab. Try it yourself.

2 likes

Please or to participate in this conversation.