Laravel 4 Auth::attempt($userdata, false) authentication is still kept

StackOverflow https://stackoverflow.com/questions/19992372

Question

Recently I have decided to add a "remember me" feature to my Laravel 4 app. Appropriate method with syntaxis was found:

Auth::attempt(array $credentials = array(), $remember = false)

This was adopted for my needs like so:

Auth::attempt($userdata, Input::has('remember'))

Application kept the Auth session, and the user was authenticated even after browser was closed.

Although, I have found out that now Laravel always keeps a user authenticated, no matter what state "remember" checkmark is.

I have tried to do:

Auth::attempt($userdata, false)

and

Auth::attempt($userdata,)

User was still authenticated across the browser sessions!!! Now, since Auth::attempt($userdata) not keeping the auth session, I felt that whenever there is an indications of the second argument in Auth::attempt method, Laravel auto assumes it as "true". Can anyone clarify that?

EDIT: To make it a super clear to everyone, I will list the steps to recreate this behaviour:

  1. Logout of the app Auth::logout();
  2. Login again Auth::attempt($userdata, false)
  3. Close and open the browser
  4. Go to the app url.
  5. Application is loaded authenticated

This is my first question here, so please, be patient with me :)

Was it helpful?

Solution

EDIT : OP made clear he called Auth::logout() properly, so answer is edited to include the "Real" answer.

Set lifetime value in app/config/session/php to 0 to make cookie clear on browser close.

Previous answer

This is the login method in Illuminate\Auth\Guard (Which is facaded to Auth) class, which is eventually called by Auth::attempt().

source : http://laravel.com/api/source-class-Illuminate.Auth.Guard.html#263-291

 public function login(UserInterface $user, $remember = false)
 {
     $id = $user->getAuthIdentifier();

     $this->session->put($this->getName(), $id);

     // If the user should be permanently "remembered" by the application we will
     // queue a permanent cookie that contains the encrypted copy of the user
     // identifier. We will then decrypt this later to retrieve the users.
     if ($remember)
     {
         $this->queuedCookies[] = $this->createRecaller($id);
     }

     // If we have an event dispatcher instance set we will fire an event so that
     // any listeners will hook into the authentication events and run actions
     // based on the login and logout events fired from the guard instances.
     if (isset($this->events))
     {
         $this->events->fire('auth.login', array($user, $remember));
     }

     $this->setUser($user);
 }

It is clear that even though the cookie is set when $remember is set to true, the cookie itself is not cleared when $remember is set to false or other non-truthy value.

The cookie is cleared when you call Auth::logout() function.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top