Laravel 5: Security – Authentication

Laravel 5: Security – Authentication

Authentication vs Authorization
Authentication: login + password (who you are)
Authorization: permissions (what you are allowed to do)

Laravel built in single level authentication

Single level means, that you have just one kind of authenticated user.
You can then assign different roles using authorization.
This will not work for multi level authorization, e.g. when you need to have structure like for instance:

  • students
  • teachers
  • associates

where each group should have it’s separate admin and database table.
For that, see this link.

But if single level is enough for you, this is how to get it working:

Some definitions

Guards define how users are authenticated for each request.
Guards are about where your application stores an authenticated user’s details (i.e. session, database, etc).
In other words, what driver is used (session, or token) and what provider (which model and what database driver)


Providers define how users are retrieved from your persistent storage.
Providers are how your application authenticates user, i.e. Eloquent, an API, and so on.
Which driver (eloquent, database) and which model (e.g. App\User).

Redirect after authentication

This code goes into your LoginController (or any other doing just that).

via property

via method

Login throttling

Throttling is a way to control how many times user can attempt to login before system will apply cool-down period.
Cool-down period is a forced break period, before user is allowed to try to login again.
Cool-down period length can also be set.

Since Laravel 5.3, it is hardcoded.
In previous versions of Laravel 5 it was possible to use maxLoginAttempts and lockoutTime inside of Login controller to define login attempts and lock out time (cool-down).

You can change it by hand in this trait

Just look for this method and make changes – read comments in code below to see what to change:

… or you can bring back maxLoginAttempts and lockoutTime

Detailed, step-by-step procedure is described here.

Default user identifier

When user is being identified, Laravel searches by default for user email in user table ’email’ column (field).
Then, it compares passwords.

If you use other column to find user, e.g. ‘username’ then you have to tell Laravel about it.

This is how (in LoginController):

Get currently authenticated user
via Auth facade

via Request instance

Once a user is authenticated, you may access the authenticated user via an Illuminate\Http\Request instance.

Protecting resources – authenticated users only
via Auth facade
This allows spot protection anywhere in code.
Quite handy in some cases.
In real life access protection is easier done by protecting routes, or controllers.
See below.

via controller __construct() method
This allows protecting all controller used resources.

via protecting route itself

Similar to controller __counstruct() protection (see above), just applied to route leading to controller.

Manually authenticating users
basic approach

extra authentication constraints

use custom guard

remember users
users table must include the string remember_token column.

Must remember this!!!
In short, use it, or clear old sessions, when e.g. changing password.
Also read about: AuthenticateSession here.
Logging user out

Programmatically login user
by Instance
Requires Illuminate\Contracts\Auth\Authenticatable in model.

by ID

authenticate A User Once (no cookies), good for stateless API

Login / logout built in events

Laravel raises a variety of events during the authentication process.
You may attach listeners to these events in your EventServiceProvider.

Read also about: