Session Authenticator
The Session authenticator stores the user's authentication within the user's session, and on a secure cookie on their device. This is the standard password-based login used in most web sites. It supports a secure remember-me feature, and more. This can also be used to handle authentication for single page applications (SPAs).
Method References
attempt()
When a user attempts to login with their email and password, you would call the attempt()
method
on the auth class, passing in their credentials.
$credentials = [
'email' => $this->request->getPost('email'),
'password' => $this->request->getPost('password')
];
$loginAttempt = auth()->attempt($credentials);
if (! $loginAttempt->isOK()) {
return redirect()->back()->with('error', $loginAttempt->reason());
}
Upon a successful attempt()
, the user is logged in. The Response object returned will provide
the user that was logged in as extraInfo()
.
$result = auth()->attempt($credentials);
if ($result->isOK()) {
$user = $result->extraInfo();
}
If the attempt fails a failedLogin
event is triggered with the credentials array as
the only parameter. Whether or not they pass, a login attempt is recorded in the auth_logins
table.
If allowRemembering
is true
in the Auth
config file, you can tell the Session authenticator
to set a secure remember-me cookie.
$loginAttempt = auth()->remember()->attempt($credentials);
check()
If you would like to check a user's credentials without logging them in, you can use the check()
method.
$credentials = [
'email' => $this->request->getPost('email'),
'password' => $this->request->getPost('password')
];
$validCreds = auth()->check($credentials);
if (! $validCreds->isOK()) {
return redirect()->back()->with('error', $validCreds->reason());
}
The Result instance returned contains the valid user as extraInfo()
.
loggedIn()
You can determine if a user is currently logged in with the aptly titled method, loggedIn()
.
if (auth()->loggedIn()) {
// Do something.
}
logout()
You can call the logout()
method to log the user out of the current session. This will destroy and
regenerate the current session, purge any remember-me tokens current for this user, and trigger a
logout
event.
auth()->logout();
forget()
The forget
method will purge all remember-me tokens for the current user, making it so they
will not be remembered on the next visit to the site.
Events and Logging
The following is a list of Events and Logging for Session Authenticator.
Register
- Default Register
- Post email/username/password
- OK → event
register
andlogin
- NG → no event
- OK → event
- Post email/username/password
- Register with Email Activation
- Post email/username/password
- OK → event
register
- NG → no event
- OK → event
- Post token
- OK → event
login
- NG → no event
- OK → event
- Post email/username/password
Login
- Default Login
- Post email/password
- OK → event
login
/ tableauth_logins
- NG → event
failedLogin
/ tableauth_logins
- OK → event
- Post email/password
- Email2FA Login
- Post email/password
- OK → no event / table
auth_logins
- NG → event
failedLogin
/ tableauth_logins
- OK → no event / table
- Post token
- OK → event
login
- NG → no event
- OK → event
- Post email/password
- Remember-me
- Send remember-me cookie w/o session cookie
- OK → no event
- NG → no event
- Send remember-me cookie w/o session cookie
- Magic-link
- Post email
- OK → no event
- NG → no event
- Send request with token
- OK → event
login
andmagicLogin
/ tableauth_logins
- NG → event
failedLogin
/ tableauth_logins
- OK → event
- Post email