Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

vahnmarty's avatar

How to display a message when the session expired?

I know that Laravel sets automatic timeouts when the user or the page has been idle depends on your session lifetime. When this happens, it redirects to '/login' route.

I am thinking of something like this. I am using it in my view (login.blade.php), but it gives an error.

  @if (Session::hasExpired()  )
                   <div class="alert alert-info">
                      <p>
                        Your session has expired. Please login back!.
                      </p>
                   </div>
     @endif
0 likes
2 replies
clemblanco's avatar

Yeah I was looking into this too.

I'm not sure this is possible currently with the framework as I don't think the way PHP Sessions work in general allow this.

I think sessions will expire in the background and the framework will do some garbage collection when needed but it won't really "know" when the session expired. It will notice something is missing but it will not know wether it's because it expired or because the user never had a session to start with.

This is my theory but I'm not entirely sure about it.

dondiddly's avatar

This is an old topic but still not finding much in the way of results so thought I'd post my solution. It's a bit involved however...

In the session config file in Laravel, you have a value for the session lifetime. In my case, I needed the sessions to expire after 30 minutes of inactivity so I set this value to 30. I pass this value back to JS on the page (lots of ways to do this depending on your infrastructure and preferences) . I set a couple of JS timeouts (setTimeout) that are cleared every time the user makes a request to the server. If you're not building an SPA, a page load would be sufficient in setting these timeouts. If you're building an SPA, you just clear and reset the timeouts on each request. In either case, each request resets these timeouts.

My first timeout occurs after 27 minutes (lifetime minus 3) which will pop up an alert / dialog to the user that tells them their session will be expiring soon. They are presented with an option to keep the session active by clicking a button that makes an empty request to the server which will persist the session. If the user hits this button, the timeouts are reset and the session will persist for another 30 minutes. If the user ignores the warning (or clicks cancel) and the session is left to expire, the second timeout will execute which makes a post request to the logout route (likely logged out already but won't hurt). These timeouts are only active on pages where authentication is required.

A tricky part is when the user is working in multiple tabs. You want each warning to pop up on every tab at the same time, not based on the last activity within that tab. You also don't want other tabs logging the user out. For this, I stored the session timeout expiration time in a cookie as a timestamp. Each request sets this value to now + 30 minutes. Now each time one of the timeouts executes, it first checks the cookie value and makes sure that the timeout is executing at the expected time and that the session has in fact expired or will be expiring. If the cookie value has been updated elsewhere, you reset your timeouts but this time, just based on the time remaining (the difference between now and the cookie value). Otherwise continue as expected.

Another point to consider is that logging out, in a standard Laravel app, will send the user to the login page. Now the login page will sit idle and when the user returns their CSRF token might have expired. So they will enter their credentials only for the process to bomb and for them to be told their security token has expired. So you might want to consider sending the user to a special logged out page that just tells them they were logged out due to inactivity and present a login link to send the user back to the login page which will reset the csrf token. What I did was just present a dialog to let the user know they were signed out and when they dismiss it, the page reloads. I would have preferred the separate logout page though looking back.

Please or to participate in this conversation.