J-LXXXIX's avatar

Laravel 12 - Vue-Starter-Kit - User info exposed after logout?

This might be a non-issue but figured I should ask the community.

I recently cloned the Laravel 12 Vue Starter Kit at: https://github.com/laravel/vue-starter-kit

Without making any changes and just exploring the Auth register/login/logout. I noticed my user information was still available after logging out within the source. This happens in the demo too.

To replicate the steps, visit the demo: https://vue-starter-kit-main-jvxppc.laravel.cloud/

  1. Have your web-dev tools open [Elements tab].
  2. Log in ([email protected] - password) > Redirected to Dashboard page.
  3. Remove the /dashboard to visit the Welcome page whilst still logged in.
  4. Click the Dashboard button to go back to the Dashboard.
  5. Now logout > Redirected to Welcome page.

Here is a preview showing the auth.user details after logging out.

{"component":"Welcome","props":{"errors":{},"name":"vue-starter-kit","quote":{"message":"Simplicity is the essence of happiness.","author":"Cedric Bledsoe"},"auth":{"user":{"id":716,"name":"John Doe","email":"[email protected]","email_verified_at":null,"created_at":"2025-10-12T16:34:28.000000Z","updated_at":"2025-10-12T16:34:28.000000Z","two_factor_secret":null,"two_factor_recovery_codes":null,"two_factor_confirmed_at":null}},"sidebarOpen":true},"url":"\/","version":"850e89accfb87d611e99e43dccdf6e60","clearHistory":false,"encryptHistory":false}
0 likes
8 replies
LaryAI's avatar
LaryAI
AI
4 months ago
Level 58

You're correct in noticing that after logging out, your user information (like auth.user in the Inertia props) still appears in the HTML source of the /welcome page. This behavior can be explained and remedied.

Why Does This Happen?

When using Laravel with the Inertia.js stack (which the Vue Starter Kit does), data is passed from backend to frontend via "props" embedded in the initial page source. On logout, if your backend controller (or shared Inertia prop) still attaches the user data, it remains in the rendered HTML, even though you're technically logged out.

The typical cause is a global Inertia shared prop—frequently defined in app/Providers/AppServiceProvider.php like this:

use Inertia\Inertia;

public function boot(): void
{
    Inertia::share([
        'auth' => function () {
            return [
                'user' => auth()->user(),
            ];
        },
    ]);
}

If auth()->user() returns a user (even just before logout happens), this data will persist until the next full reload or navigation, due to pre-rendered server-side HTML or Vue state not resetting instantly.

How to Fix

1. Ensure auth.user is properly null after logout

You want to make sure that, after logout, the shared Inertia prop is empty. Try modifying your Inertia shared prop like this:

use Inertia\Inertia;

public function boot(): void
{
    Inertia::share([
        'auth' => function () {
            return [
                'user' => auth()->check() ? auth()->user() : null,
            ];
        },
    ]);
}

This ensures that if there's no authenticated user, the user property is null in your page HTML.

2. Redirect to prevent back navigation showing cached data

Browsers can cache rendered pages (especially with Inertia.js’ speedy nav), so after logout, always issue a full redirect to a public route, e.g.:

public function destroy(Request $request): RedirectResponse
{
    Auth::guard('web')->logout();
    $request->session()->invalidate();
    $request->session()->regenerateToken();

    return redirect('/'); // Or Inertia::location('/');
}

Using Inertia::location('/') is sometimes recommended for a full hard-refresh.

3. Front-end: Clear local/store user data (Vue/Pinia/etc) on logout

If your SPA has client-side user state, clear it on logout:

// Example for Pinia
const auth = useAuthStore()
auth.logout() // ensure this sets user to null

In summary

  • After logout, auth()->user() should be null, and not shared down to any Inertia page.
  • Whenever you logout, trigger a full redirect to clear any cached HTML with user data.
  • Also, clear any client-side user state management (e.g., with Pinia or Vuex) on logout.

You can safely ignore user data still being visible in the HTML immediately after logout, as long as all API endpoints and protected routes properly enforce authentication. The risk is only about data "leakage" in the source, not actual authentication. Still, it's best to clear that data from your Inertia shares for peace of mind and user privacy.

Final Shared Prop Example:

Inertia::share([
    'auth' => [
        'user' => fn () => auth()->check() ? auth()->user() : null,
    ],
]);

Let me know if you need specific code changes for your project!

Mega_Aleksandar's avatar

As Lary pointed out, in Inertia, it is common to have the authenticated user in a "shared" prop, that gets passed around on each request.

Usually it is done in the App\Http\Middleware\HandleInertiaRequest.php in the share method of the class.

'auth' => [
                'user' => $request->user(),
            ],

If you look at the source code, it does not even check if the user is authenticated or not - the user has been identified by the session cookie and retrieved from the database, so Inertia has that information, thus showing it in all requests. If you utilize the auth()->check() and properly null it, there will be no information left for Inertia to serve.

Hope this helps.

1 like
vincent15000's avatar

In projects where I don't use InertiaJS, I code myself a middleware to send the authenticated user to the frontend, I do this via a middleware.

I don't retrieve the user from the request, I just identify the authenticated user.

So I think that you can adapt the InertiaJS shared data code to get what you need.

J-LXXXIX's avatar

Thank you both @mega_aleksandar & @vincent15000 for responding. My project is still pretty much untouched compared to a fresh vue-starter-kit so I gave this a try as it made sense to me :

// app/Http/Middleware/HandleInertiaRequests.php

            'auth' => [
                'user' => auth()->check() ? auth()->user() : null,
            ],

However the issue is still there.

Inside the `<div id="app" .../ > elements data-page attribute.

  1. The user is null to begin with. (As expected)
  2. The user is still null to after login. (As expected)
  3. If I refresh the browser, now the user information is suddenly shown within that attribute. (Which is fine since it is that user currently logged in)
  4. However now that this information now exists in the html, it remains there even after logging out until it is refreshed again.

You can even try this in the demo site I posted above as the code change I added made no difference. The user info will not be in the html until you perform a browser refresh, then it suddenly fills it and it remains even after logging out.

1 like
vincent15000's avatar

When a user logs out, I also empty the user infos from the frontend.

This way I have no residual infos about the authenticated user after logging out.

J-LXXXIX's avatar

It seems this is the only way, where I guess I have to override the fortify one in the vendor directory: vendor/laravel/fortify/src/Http/Controllers/AuthenticatedSessionController.php

Thanks for sharing your alternative solution. Just feel like although this is not a major security concern, it is still out of the box an easy way to have a user's personal details available for someone else to see albeit some very specific circumstance.

1 like
J-LXXXIX's avatar

Yes that is what I meant by override. Not directly modifying.

1 like

Please or to participate in this conversation.