Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Dzoni's avatar
Dzoni
OP
7 years ago
Level 1

Laravel 5.2: User not logged out after session timeout

Hi.

I have a situation where user is still logged in after session expires (lifetime set to 1). My dashboard is under the auth middleware, so after session expiry I start debugging, and every link is taking mi to the Authenticate.php and the handler method:

public function handle($request, Closure $next)
{
    if ($this->auth->guest()){
        if ($request->ajax()) {
            return response('Unauthorized.', 401);
        } else {
            return redirect()->guest('login');
        }
    }

    return $next($request);
}

The problem is that $this->auth->guest() returns false, every time. Auth::check() returns true.

So, the user is still logged in. I thought I solved the issue by setting session domain to null, but that backfired elsewhere, sessions went nuts and I couldn't keep my navbar links in order because Auth::check() was working irregularely.

Now my session domain is '.app.tech', because I have subdomains, and logging in and logging out works fine, everything is in place. The only thing not working is Auth when session expires. $this->auth->guest() returns false and the dashboard controller is called which later fails because user id can't be fetched from the expired session.

Any help? Tell me if you need more information.

0 likes
4 replies
Dzoni's avatar
Dzoni
OP
7 years ago
Level 1

@RamjithAp

auth and remove.sub were used on the dashboard routes group. Classes in the web array were commented out.

protected $routeMiddleware = [
    'auth'       => 'App\Http\Middleware\Authenticate',
    'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
    'guest'      => 'App\Http\Middleware\RedirectIfAuthenticated',
    'auth.admin' => 'App\Http\Middleware\AuthAdminMiddleware',
    'auth.agent' => 'App\Http\Middleware\AuthAgentMiddleware',
    'remove.sub' => 'App\Http\Middleware\RemoveSubMiddleware'
];

protected $middlewareGroups = [
    'web' => [
         \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
         \Illuminate\Session\Middleware\StartSession::class,
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
         \App\Http\Middleware\VerifyCsrfToken::class,
    ],
    'api' => [
        'throttle:60,1',
    ],
];

I uncommented them and set the group middleware like this 'middleware' => ['remove.sub', 'web']

No change.

adelf's avatar

There is auth cookie. So, laravel just reautheticate him again, I think...

Snapey's avatar

Have you got a remember token in the user database? The user will just be logged back in automatically.

(also, all your routes should already have 'web' middleware. Check with php artisan route:list)

Please or to participate in this conversation.