I'm trying to implement a user policy whereby only one user can login at a time. I'm trying to build this on top of Laravel's Auth driver.
I've thought of using the Session driver to store the sessions in the database and make the keys constant for each username. This is probably a terrible implementation because of session fixation.
What would the implementation be like? What methods in the Auth driver should I be editing? Where would the common session key be stored?
I recently did this.
My solution was to set the session value when a user logs in. Then I had a small class checking if the session ID stored is the same as the current user who is logged in.
If the user logs in from somewhere else the session ID in the DB will update and the "older" user will be logged out.
I didn't alter the Auth driver or anything, just put it on top when the user logs in. Below happens when login is successful:
$user->last_session = session_id();
$user->save();
To check if the session is valid I used below
if(session_id() != Auth::user()->last_session){
Auth::logout();
return true;
}
As you can see I added a column in the users table called last_session
With Laravel 5.6 and superior:
in LoginController add method
protected function authenticated()
{
\Auth::logoutOtherDevices(request('password'));
}
in Kernel
remove comment from line
\Illuminate\Session\Middleware\AuthenticateSession::class,
That's it, the feature is now included in Laravel!
my solution was extended from @Albin N for Laravel 5.* onward
add "last_session" column into table users
make sure you allow this column is fill-able by adding "last_session" into $fillable on User model (User.php)
protected $fillable = [
'name', 'email', 'password','last_session'
];
add authenticated() function into App/Http/Controllers/Auth/LoginController.php if you can't find it just make sure you have run php artisan make:auth
protected function authenticated()
{
// Update last_session after logged-in
User::find(Auth::id())->update(['last_session'=>Session::getId()]);
}
create new middleware class php artisan make:middleware SingleSession
if(Auth::check())
{
// If current session id is not same with last_session column
if(Auth::user()->last_session != Session::getId())
{
// do logout
Auth::logout();
// Redirecto login page
return Redirect::to('login');
}
}
finally call you SingleSession middleware class in kernel.php
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\SingleSession::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
it will check every time before routes are being executed that's it! happy coding..!
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 疯言疯语 的文章《Single Session Login in Laravel》','https://www.manongdao.com/article-333002.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}