Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
So here is what I would like to do:
Here is an idea on how to achieve that:
Is this a valid solution? Is there a better way of achieving this?
I had to do something similar before. What I did then was creating a new middleware that is checking the logged user's fields ("browser", "platform" and "device") and check them against the current request.
If is something else then update the user's data and flash the message (or additional action) and return the $next object as usual. Do not forget to register the new middleware to be executed on all requests.
Hope that helps you.
@M7VM7V - Well in that case I'll be able to store only one "current device". What I would like to do is that if he changes browser or device he gets notified of a new connection and stores the value. This way you get to have multiple "trusted devices".
Let's say I connect from my laptop, then for some reasons I connect to a public pc and connect to my account. Now if I go back to my laptop (which should be now trusted) I would still get notified, which is something I'd like to avoid.
@dlebedef so then you could easily create a new table with trusted_devices and a pivot table between the records and the users so then the user could have a hasMany relationship with the trusted_devices so then in the middleware you could check against this table.
@M7VM7V - The trusted_devices table is definitely something I could use. But let's say some great hacker uses my same device, platform, browser and because he's really talented he somehow figures out my password. So the application would look for a match in the trusted_devices and would get a positive response.
But would it help to also:
1- store the IP address for an additional "security" comparison
2- use a cookie associated with the table trusted_devices so that if absent a notification is sent to the user, while if present we check for that entry in the table and check the additional matches between devices, platforms and browsers (plus the IP address)
Now I understand that these two steps rely on elements that can "easily" be modified by users, but they do add additional controls that could help. I would for instance be notified if I logged from the same pc but from different browsers, only once though as then both browsers would have the cookie and the device information would be stored in the database.
@dlebedef You can extend that table as much as you would like.
What I would suggest is to look after like two factor authentication, this one looks like a good one to help you with. Hope the link is not considered against the rules. https://scotch.io/tutorials/how-to-add-googles-two-factor-authentication-to-laravel
@M7VM7V - Great, thank you! Two-factor authentication is something I will definitely use in another project I'm working on and this looks like a great tutorial.
If you are worried about a hacker pretending to be a certain device and such, you are barking up the wrong tree. Everything, and I mean EVERYTHING is hackable.
Remember, they need the following to properly 'hack' you in your trusted_device land:
The only thing this user is missing, that would make it easier is direct access to your email, and to be honest, if they have all this data, they most likely have access to your email.
So to be 100% honest, I do not see where you need to worry past this point. This is plenty of security. The saying: more security is always better, is only a half truth. You could require a pin as well as a password, you could require two factor auth, you could require login confirmation via email on every attempt... but sooner or later, you have so much security that the usablity of your site suffers. No one wants hacked, but additionally users HATE security parameters. Its the story of our lives haha. I think you have a good solid idea with trusted devices, and possibly even two factor auth... but I think you are 'safe'
@CMDOBUENO - Sure and I totally agree, that's why in this circumstance I'm not looking to apply additional authentication mechanisms such a two-factor authentication.
What I'm looking to achieve here is not really to enhance the security of the system but add this additional "layer" where the user is informed of a new connection to his account.
Of course as you said it is not 100% safe, nothing really is, but it might help in finding some anomalies and irregularities without really compromising the user experience.
Anyway, thank you for your feedback!
I agree, the additional/trusted device concept is fantastic. I really like it, as it is a one time annoyance (per device), which users are totally okay with, from my experience. I do believe it is a rather elegant solution.
I would use a table as has been suggested, keeping track of the device features, it issue with using IP, is that cell phones are annoying when it comes to this, I am not well versed on if each browser has its own finger-print (they really need to give the web something like this), so we know the specific browser, but again... not my area so I am not 100% certain. Worst case, you have to use IP and user agent, but that is not horrific... just sometimes sucks on mobile phones and their mobile networks... not idea how often they switch IP addresses.
@CMDOBUENO - Indeed using the IP address can "complicate" things. I was initially thinking of using the IP to detect the country and maybe the city, although in some cases cities are too small and can easily/quickly change (I live in a small country and it is the case). So based on that maybe have a table:
And on the client side:
if there is a match no need to notify the user, it is probably (we can never be 100% sure) all fine. While if there is a mismatch or absence of the cookie (browser_key) we consider this as a new device, notify the user and store the data.
This solution wouldn't interfere with the client experience but only add this "annoying" email notification when a new device is detected. But to be honest how many times do we change country and or device/browser?
That said I also agree that it would be nice to have more native solutions when it comes to identifying devices.
Please or to participate in this conversation.