Level 51
Does this help
Oct 11, 2016
7
Level 1
Restricting User to One Session - Laravel 5.3
Hi All,
I want to restrict users in my app to only be able to login from one device. If they login from another device, any other device they're logged in from, the session should be destroyed.
After doing reading and trying to figure it out, I know I can destroy sessions, though how can I determine if that specific user already has an existing session?
Would I add any additional code to the logincontroller.php? Or somewhere else? Effectively flow would be;
User supplies username and password -> Posts to login controller -> Check if user has an existing session, if yes, destroy -> generates new session for this user
Thanks in advance!
Level 1
Thanks. I've read through that one previously. Few Q's relating to it;
- So you have to store the session ID within your DB, you cannot detect if the user has a session based on the session file store?
- Laravel 5.3 doesn't have any authcontroller, it's now logincontroller, register etc... within the login controller, there are no functions (it is loading all functions from AuthenticatedUsers.php within the framework of Laravel). So that brings me to my next question, do I add the function to the login controller? Or to the AuthenticatedUsers.php component (guessing the prior?).
- Finally, and this is pure lack of understanding of laravel on my behalf, if I add the new function to one of the above two files, how is it called? Adding public function authenticated(.....), what is calling this function? The routes aren't, the logincontroller doesn't reference it anywhere, I get confused at this point on how to call the function.
Level 1
Got this working. For reference for anyone who is also looking to achieve the same thing;
- Copy the function "sendLoginResponse" from AuthenticatesUsers.php in the framwork into your LoginController.php file. This overwrites the default sendLoginResponse function
- Update your users DB (migration & db seeds etc...) to have a session_id field, type: "text"
- Extend the sendLoginResponse function in your LoginController.php file to achieve what you want. My function now looks like below.
'''
protected function sendLoginResponse(Request $request)
{
$request->session()->regenerate();
$previous_session = Auth::User()->session_id;
if ($previous_session) {
\Session::getHandler()->destroy($previous_session);
}
Auth::user()->session_id = \Session::getId();
Auth::user()->save();
$this->clearLoginAttempts($request);
return $this->authenticated($request, $this->guard()->user())
?: redirect()->intended($this->redirectPath());
}
'''
2 likes
Level 1
Could you explain a bit more this solution? It works great, but I'd like to let the user know when the session was destroyed because of a new session.
Level 3
I have written a post explaining all the steps https://www.jesusamieiro.com/limit-one-session-per-user-in-laravel-5/
Level 75
I will look into this, thanks.
Level 4
sorry for 'necro-posting'... but .. after 5 years, is there any more modern way to force single session per user?
1 like
Please or to participate in this conversation.