Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm using jetstream with Laravel 9.45.1 and I am trying to perform actions at a user's first login. I think I need to locate the actual source code for the web guard.
I have created a custom MiddleWare in /app/Http/kernel.php under the web middleware group, but I don't know how to intercept a valid login at the point at which it succeeds - for example, if I do an Auth::check() then if that returns true, the login has already succeeded at that point - but this could be due to a persistent session as well as a first-time login.
What I ultimately want to do is to require a password reset if a user's password is older than a predefined number of days, but I don't want it to trash their session if their counter is up while they're logged in.
I can handle the reset easily enough by doing redirect()->to('/forgot-password')->with('password-expired', 'Password expired'); but detecting the login is eluding me.
You could set a flag in users table that it's time for a reset. And let it happen on next login. Of course it will only work if they login out. So this is assuming the system requires logging out.
Also you can find more detail in the laravel API.
Thanks @jlrdw
I should add, I have setup a password_changed_at timestamp column (inspired by a @LaravelDaily video - thanks Povilas) and I can detect if the password has expired.
But what I am trying to do is add a hook on the first login - ie. I need the check to fire only when the user first logs in, not when they are re-authenticated against stored session values.
Currently using my custom middleware, my check is fired on every page load, and redirecting the user here will cause their session to be lost if their password should happen to expire while they are logged in.
@daveb2 The way my bank does it:
User enters login credentials, at that time the check is made, if it's expired then redirect to the create new login page. So this only happens and is checked on a new login, not mid session.
@jlrdw agreed - that is what I want to do. My question is where can I hook this behaviour - should it go in middleware? If so, how do I check for first login and not session authentication?
Or should it go in a web guard? If so, can somebody point me to where the actual web guard code is stored? All I can find are interface and other abstract classes.
@daveb2 or make it simple and just compare two datetimes or timestamps as part of login. If the time span is greater than X then redirect.
Edit:
What do you mean first login. It's created if not present. And I suppose you could use middleware, but I don't usually mess with middleware. Just do a check in the DB.
@jlrdw Sorry I don't think I'm explaining myself very well. I agree with everything you said and currently have that working.
But, how do I detect when the user is logging in? What I mean is, when a user submits their username and password the first time, how do I detect that?
I am trying to intervene at the stage between the user getting their login credentials validated, and seeing password-protected content.
when a user submits their username and password the first time, how do I detect that?
By looking to see if those fields are null (empty).
You can use one or two fields, depending on how you check. With carbon you can see if login date is over 90 days from entered date.
Upon reset, renew the field /s.
So basically on the very first login the field is blank.
Please or to participate in this conversation.