Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Ligonsker's avatar

Is it possible to call logoutOtherDevices without a password?

Hello

I noticed that logoutOtherDevices calls the rehashUserPassword() method:

protected function rehashUserPassword($password, $attribute)
{
    if (! Hash::check($password, $this->user()->{$attribute})) {
        throw new InvalidArgumentException('The given password does not match the current password.');
    }

    return tap($this->user()->forceFill([
        $attribute => Hash::make($password),
    ]))->save();
}

(Source: https://github.com/laravel/framework/blob/9c44052743b0ee7f3adea36994918b4d8019e8b3/src/Illuminate/Auth/SessionGuard.php#L691C20-L691C20)

Is it possible to however to use it without a password for certain users that use LDAP to connect but are stored with an empty password in the DB?

I can use a workaround by hashing some hard-coded password like 'password' and then it works (I checked):

Auth::logoutOtherDevices('password');

But maybe I can do it better and actually call it without a password?

ty

0 likes
5 replies
Snapey's avatar

i think its about invalidating sessions without being able to find and destroy those sessions

you should be able to use the same string for all users as the password hash will always be different

1 like
Ligonsker's avatar

@Snapey can you please explain? Or you simply agreed with my last idea of having the same hard coded password string?

stemithy's avatar

You can update their app password with their LDAP password before logging out other devices.

    //Replace app password with LDAP password
    $request->user()->forceFill([
        'password' => Hash::make($request->password),
    ])->save();

    //Logout other devices
    Auth::logoutOtherDevices($request->password);
    return $next($request);

Please or to participate in this conversation.