Can I listen for logout events when the user is disconnected when the session ends?

Level 58

Yes, you can listen for the logout event when the user is disconnected due to the session ending. Laravel provides an event called Illuminate\Auth\Events\Logout that is fired when a user logs out. You can create a listener for this event and perform your desired actions in the listener.

Here's an example of how you can create a listener for the Logout event:

Create a new listener using the php artisan make:listener command:

php artisan make:listener UpdateUserOnLogout

Open the newly created UpdateUserOnLogout class in the app/Listeners directory and add your desired code in the handle method:

namespace App\Listeners;

use Illuminate\Auth\Events\Logout;

class UpdateUserOnLogout
{
    public function handle(Logout $event)
    {
        // Update something in the DB when the user logs out
    }
}

protected $listen = [
    'Illuminate\Auth\Events\Logout' => [
        'App\Listeners\UpdateUserOnLogout',
    ],
];

Now, whenever a user logs out due to the session ending, the UpdateUserOnLogout listener will be triggered and your desired code will be executed.

Level 8

Lary's solution doesn't work for when a user is logged out via session end.

I have the following code as he said, with added Log:

namespace App\Listeners;

use Illuminate\Auth\Events\Logout;

class UpdateUserOnLogout
{
    public function handle(Logout $event)
    {
        Log::debug("User logged out");
    }
}

But it only logs when the user logs out via the logout button. If a user session time ends and he gets back to the login screen, this event is not triggered

martinbean

Level 80

Is it possible to listen to this logout event so that I can trigger some code? I need to update something in the DB when he logs out

@ligonsker No, because there’s nothing to send events. A web request is made, a response is sent, and that’s it. If a user goes away, there’s nothing running to “ping” your server. The user just has an invalidated session the next time they try and use your site and will be prompted to log in again.

1 like

Level 8

Oh yes. Do you think that in that case there's anything to do if I need to update the users table to decrease the number of active devices? I added a "devices_connected" column to the users table that increases count by one when a user logs in and decreases when a user logs out. But since I can't really track logging out due to expired session, I can't decrease the count. Should I use a completely different approach for that rather than the new column, or I can still somehow fix that?

Level 122

@Ligonsker You could change a count of 5 into 5 individual timestamps.

When you check if the user can login from a device,

check if the current device is already listed. If so, update the timestamp
check if they have a free device slot. if so, put the current time in that slot
check if any existing slots can be released because they are sufficiently old (eg more than 24 hours ago), and then use that one.
if there are no slots free, and the others have all been used in the last 24 hours then deny entry.

24 hours is only a suggestion. Use a value that makes sense for your application.

1 like

Level 8

@Snapey the problem is that the login session is only set to 15 minutes. What happens if (For the example I will just use up to 2 allowed devices) a user logs from Device A, then goes to Device B, then works on Device B more than 15 minutes, then he wants to log from Device C <- it will not be possible because there is no free slot, and I know you said the 24 hours is a suggestion, but for this example I just wanted to show that it's sometimes not possible to accurately tell exactly which devices are really logged out.

Is there a way to make it more accurate, i.e. to know really when the device is logged out?

newbie360

Level 24

@Ligonsker Don't know how you design the database, 15 minutes means this setting in the config/session.php ?

'lifetime' => env('SESSION_LIFETIME', 120),

just create a middleware, when the user login, check if the device count >= 2, redirect to a page, let him select delete a device first, when he press a delete button on that device

1. Remove that device record from database
2. Login and create a new device record

this work ?

or you talking about auto logout that device if idle 15 mins ?

1 like

Level 122

@Ligonsker only by updating the list of devices on every request (via middleware)

Bear in mind that this would add potentially multiple database requests to every request.

You could perhaps store it in session.

Alternatively tell the user, "You are only permitted to login from 2 separate devices in any 24 hour period"

1 like

Level 8

@newbie360 Yes this is an option and I am talking about auto logout after 15 minutes idle - but since it's a session being deleted I can't "catch" it. But your option works to display this message. Also yes I mean the setting in config/session.php

Level 8

@Snapey The session part could work (on every request, instead of DB query on every request), but, if a user logs from 2 different devices - these are 2 separate sessions for Laravel right? So I will either need to use PHP's native session, or, Laravel does offer a way to make a session based only on the username for example so that I can update this data?

Level 122

@Ligonsker Sorry I meant to say store it in cache. Session is only scoped to one user so that would be no good.

1 like

Level 8

@Snapey Oh and I was also wrong with my suggestion about the "native PHP session" 😅. So looks like I can't use it with the tools I have right now. I will try to setup cache then but might just do something else instead if it takes to long to setup now