Pregunta
Is it safe to use the remember_token in the users table for authenticating the user into the application?
What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.
Solución
No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Me cookie hijacking. The value is refreshed upon login and logout. If a cookie is hijacked by a malicious person, logging out makes the hijacked cookie useless since it doesn't match anymore.
Refer to this documentation:
Otros consejos
I had to add the remember_token to my users table migration in order for Auth::logout() to work properly.
Added remember_token to my migrations as such.
https://stackoverflow.com/questions/23262351
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<?php
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class CreateUsersTable extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
//
Schema::create('users', function(Blueprint $table)
{
$table->increments('id');
$table->string('lname', 32);
$table->string('fname', 32);
$table->string('username', 32);
$table->string('email', 320);
$table->string('remember_token', 100);
$table->string('password', 64);
$table->timestamps();
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
//
Schema::drop('users');
}
}
From the command-line you the have to drop the users table, then migrate/seed.
Even if this an old question, I wanted to present an option not use the token if you don't need it (e.g. have no remember me option on your site).
Instead of adding a dummy column to your users table you can just prevent Auth::logout() from setting it.
Just add this to your User model (works as of Laravel 5.6):
public function save(array $options = array()) {
if(isset($this->remember_token))
unset($this->remember_token);
return parent::save($options);
}
This removes the 'remember_token' column just before the model gets saved and thus preventing an error to be risen because of the non-existant column.
Laravel provides a CSRF token in a hidden input it automatically adds and validates whenever a form is submitted, whether you're logged in or not. If you're using their Form builder, this is happening without you even needing to check on it.
You should check if the user is logged in on submission using the Auth facade.
To solve the problem of rememberToken in Logout Add functions in Auth/LoginController:
function get_guard(){
if(Auth::guard('web')->check()){
return "web";
}
elseif(Auth::guard('manager')->check()){
return "manager";
}
elseif(Auth::guard('client')->check()){
return "client";
}
return "web";
}
public function logout(){
$guard = $this->get_guard();
switch ($guard) {
case 'admin': Auth::guard('admin')->logout(); break;
case 'web' : Auth::guard('web')->logout(); break;
default : Auth::guard('web')->logout(); break;
}
return redirect()->guest(route("login"));
}
