Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

chuoke's avatar

When should logoutOtherDevices be called when changing password

Hi, I do not quite understand the underlying logic of logoutOtherDevices, I do not know when to call it when I handle the change password feature. Before or after changing the password?

The doc: https://laravel.com/docs/8.x/authentication#invalidating-sessions-on-other-devices

0 likes
3 replies
Braunson's avatar

logoutOtherDevices invalidates all other sessions for a user account. There is a video on this here at Laracasts https://laracasts.com/series/whats-new-in-laravel-5-6/episodes/7

If you take a look at the function itself in the laravel/framework repository you can see more of what it does: https://github.com/laravel/framework/blob/8.x/src/Illuminate/Auth/SessionGuard.php#L642-L658

  1. Check if there is a logged in user
  2. Rehashes the users password
  3. Checks if the cookie needs to be queued or not to be updated
  4. Fire the event OtherDeviceLogout for the specified user

So by rehashing the users password and updating the current users cookie session ID, you invalidate the other logged in users sessions forcing them to login again.

chuoke's avatar

@Braunson Thanks response. But I already checked the video and code. I'm still a little confused. Simple it is about the current password of Auth::logoutOtherDevices($currentPassword);, it should be the old password or the new password when I change the password.

Braunson's avatar
Braunson
4 years ago
Best Answer
Level 18

@chuoke If you are calling this manually, it can be any password old or new, the method rehases the users password and updates the cookie with a new session ID. In essence your invalidating the auth session which contains $user->getAuthIdentifier().'|'.$user->getRememberToken().'|'.$user->getAuthPassword()

When the other devices are logged in try to re-authenticate with their saved auth session, Laravel checks and sees the auth session is invalid since it no longer matches the rehashed password in the DB (from the one that's piped (above) stored in their cookie).

2 likes

Please or to participate in this conversation.