Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

rizwan157's avatar

Laravel session conflict sometimes (Weird Issue)

I'm using Laravel 5.4 and using "zizaco/entrust": "^1.7" for roles and permissions. I've multiple roles of users like admin, employees.

Issue: My client mentioned sometimes when he is logged in from his ID (employee) his ID switches to Admin ID with all rights. I have also experienced the same issue like I was logged in as Admin but after sometime when I refreshed my page ID switched to employee ID with all employee rights.

What I'm doing? I'm storing logged in user permissions in session and when he request a page his permissions are checked.

In User.php

public static function getPermission( $checkPermissions = null)
    {
        if(!Session::has('userPermissions'))
        {
            $user = new User();
            $userPermissions = $user->userPermissions();
            return in_array($checkPermissions, $userPermissions);
        }else{
            $userPermissions = Session::get('userPermissions');
            $userPermissions = $user->userPermissions();
            return in_array($checkPermissions, $userPermissions);
        }
    }


public function userPermissions()
    {
        $role = Auth::user()->roles()->first();
        $perms = permissionroles::where('role_id', $role->id)->get();
        $permissions = [];
        foreach($perms as $key => $permission)
        {   
            $permissions[] = $permission->permission_id;
        }
        $perm = permissions::whereIn('id', $permissions)->get();
        $userPermissions = [];
        foreach ($perm as $key => $user) {
            $userPermissions[] = $user->name;
        }

        Session::push('userPermissions', $userPermissions);
        return $userPermissions;
    }

Using above method I'm getting all allowed user permissions but problem is, it sometimes switches user ID.

And on navigation bar:

@if(App\User::getPermission('can_view_dashboard'))
          <li><a href="{{ route('dashboard')}}"><i class="fa fa-home"></i> Dashboard</a> </li>
@endif

What I've tried: I've changed session_driver to files and cookies but still getting this issue sometimes.

Please suggest me what to do?

0 likes
1 reply
mdecooman's avatar

Without knowing much of your app. Try to check your authentication process knowing that your user may have activated the 'remember me' token. That would explain the login as admin, as if they didn't logged out properly, it timed out, and then trying to access the page it takes the remember token and cookie info, etc.

Look as well in the data in your session and cookies when a user logs in with different credentials and from different browsers.

It may give you more insights. As a rule of thumb, with laravel, I always try to stick with what it offers out of the box for ACL and auth. Customizing as needed instead of plugging in another package has always helped me to upgrade fast to the latest releases. Anyhow, hope you find your culprit.

Please or to participate in this conversation.