Unauthenticated error when multiple users login from same browser

Normally "out of the box" authentication works correctly, including the log out part. Make sure you did not skip something, re-read https://laravel.com/docs/6.x/authentication

For simple testing, I always logout, login as another user and all works as expected.

I'm stuck with this issue since more than a month, i tried everything I could. Is there a legal way that I can let you check the code/error yourself?

I'm really depressed after all this wasted time with this strange error.

Do you invalidate the session on logout? What does your logout code look like?

It's a normal <a href="{{ route('logout') }}">Logout</a> URL, the route in my web.php is:

Route::get('logout', '\App\Http\Controllers\Auth\LoginController@logout');

I'm using the default logout controller.

Thank you, but it is not my problem, I'm already doing a redirect if the ajax came 401. But the question is WHY? I just logged in, why would Laravel log me out directly after login?!

@tinycoder

You can use an Axios interceptor to refresh the page, or steer the user to the login page is probably what you're looking for... When an Axios call comes back Unauthenticated this will execute location.reload() and refresh the page, see you aren't logged in and send you to the login screen to re-authenticate.

https://stackoverflow.com/questions/49341888/how-to-refresh-the-laravel-token-on-api-calls-with-passport/57438804#57438804

Just put this code block in your bootstrap.js file under the window.axios stuff.

// Refresh Laravel Session for Axios
window.axios.interceptors.response.use(
    function(response) {
        // Call was successful, don't do anything special.
        return response;
    },
    function(error) {
        if (error.response.status === 401) {

            // Reload the page to refresh the laravel_token cookie.
            location.reload();
        }

        // If the error is not related to being Unauthorized, reject the promise.
        return Promise.reject(error);
    }
);

I would possibly argue this is more of Vue issue than a Laravel issue, just making the assumption here that you're using Vue and that this is what you're running into as it took me a while to find a good solution to it.

After a log out add a redirect to the login page.

Or any other friendly page that has a link to login.

Do you mind leading me to the best way to do it?

@tinycoder Only asking because it wasn't specifically mentioned... have you tried clearing your cookies... using cookie as the session setting... and trying again after clearing cookies?

I tried clearing cookies, and browser cache. The very strange issue that the account become inaccessible even from other computers that have never logged in before. It looks like there is something saved on the server causing the "unauthenticated" error for user accounts!

@tinycoder

To clear a session:

When using cookie : Clear cookies in your broswer.

When using file: Delete the session from the storage folder.

rm -f storage/framework/sessions/*

When using database: Truncate (clear) the sessions table in your database.

Clearing your cache isn't going to clear the session. You need to remove those things or like I said, use cookies and clear cookies. Which is actually the way Taylor Otwell recommends to do sessions.

Scenario:

• [email protected] logs in.. do some stuff, then logout.
• admin then login as [email protected], from same browser, "unauthenticated" error occurres.
• [email protected] is not accessable anymore, from any computer, he sees "unauthenticated" error for an hour or so, until he can gain access again!

@fylzero

• php artisan session:flush
• php artisan cache:clear
• php artisan view:clear
• php artisan route:clear
• php artisan clear-compiled
• php artisan config:cache

I did that multiple times, I also deleted session files manually from the server, and when using database i even removed sessions manually from the table.

The user still cannot access the website.

@tinycoder Maybe try dropping the SESSION_LIFETIME down in the .env file to like 3 minutes to verify if the issue is actually session based?

The only thing that semi-worked, is checking the "remember me" box.. it keeps the user logged in for a while. But then all ajax calls give "Token Mismatch", even that i'm sending token in the header, and as a parameter, but it always mismatch.

@tinycoder Does changing the SESSION_LIFETIME affect the amount of time you have to wait or no? Change this to 3... try again after waiting 5 minutes... does that allow you to login the other user? If so, at least you'll know for sure that it is session related.

I am testing it now, i'll reply back in a few minutes. Thank you.

Unfortunately. It didn't change anything.

This is really getting over complicated:

On the logout method, add a redirect:

    public function logout()
    {
        Auth::logout();
        return redirect('home');  // or your home, main page
    }

All there is to it.

Edit: If you have changed things, change back to out of box authentication. It works perfect.

@jlrdw Thanks, i just tried it, it didn't change. {"message":"Unauthenticated."}

I clicked the "remember me" box, then I can login, so I modified the core code that shows this message to print the token coming from the request and the current user token, they are equal, however, it gives a "token mismatch" error.

I'm sending the token with ajax requests as a header param:

$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

also tried as a "_token" value in the forms.

First, if you have people logging out and others logging in on same terminal, you do not need or should not use remember me. Do away with that. That may be messing you up.

Are you using ajax for all of this.

You need to redirect in js

window.location.href = "your_location";

No wonder the other redirect did not work.

Without touching "remember me", and on a fresh installation, and an Incognito Window in Chrome, the problem persist.

Scenario:

• [email protected] logs in.. do some stuff, then logout.
• admin then login as [email protected], from same browser, "unauthenticated" error occurres.
• [email protected] is not accessable anymore, from any computer, he sees "unauthenticated" error.

I can show a live video... it's really a very strange behavior i'm having here.

The login is not Ajaxed, but there are some ajax functions right after the login page (in dashboard), "Datatables integrated with Yajra".

All I know for sure is out of box authentication works including the logout part. And did you see my updated answer above about js redirect.

Yes, I used redirect with javascript when the "unauthenticated" error returns, result: an infinite loop => Login -> Page loaded -> datatable ajax triggered -> got "unauthenticated" message -> redirected to logout... etc.

Is there a way that I can provide login information privately? or this is prohibited in the forum? this is my first post here, I never asked for help before as I always solve issues myself, but this one? a month of suffering.

You need to redirect to a page that has nothing to do with any kind of data. Redirect to a nothing page except a link to login. Let that be the only thing on the page, of course some style.

You are somehow redirecting to a cached page.

@tinycoder the default logout link that laravel uses out of the box is a POST logout not a GET btw. something food for thought?

How did you even get that route, the out of box scaffolding takes care of all that for you.

And yes I missed that earlier but I mentioned to you the out of box works.

@shez1983 I tried the POST, i wrapped the logout button with a form actions to the logout URL, with the token included.. same thing.

The only way users can login again is just to wait..... for 20 minutes or 30, then they can login again without cleaning cookies or cache or even changing the browser window.

I recorded a video of 15 minutes showing a detailed demo, but i realized at the end that the mic was muted :(

I will try it again tomorrow.