Laravel - Authentication - Invalidating Sessions On Other Devices
Laravel also provides a mechanism for invalidating and "logging out" a user's sessions that are active on other devices without invalidating the session on their current device. This feature is typically utilized when a user is changing or updating their password and you would like to invalidate sessions on other devices while keeping the current device authenticated.
Before getting started, you should make sure that the Illuminate\Session\Middleware\AuthenticateSession
middleware is present and un-commented in your App\Http\Kernel
class' web
middleware group:
'web' => [
// ...
\Illuminate\Session\Middleware\AuthenticateSession::class,
// ...
],
Then, you may use the logoutOtherDevices
method provided by the Auth
facade. This method requires the user to confirm their current password, which your application should accept through an input form:
use Illuminate\Support\Facades\Auth;
Auth::logoutOtherDevices($currentPassword);
When the logoutOtherDevices
method is invoked, the user's other sessions will be invalidated entirely, meaning they will be "logged out" of all guards they were previously authenticated by.