Laravel: What is "remember_token" in the "users" DB table?

LaravelSecurityAuthenticationToken

Laravel Problem Overview

Is it safe to use the remember_token in the users table for authenticating the user into the application?

What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.

Laravel Solutions

Solution 1 - Laravel

No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Me cookie hijacking. The value is refreshed upon login and logout. If a cookie is hijacked by a malicious person, logging out makes the hijacked cookie useless since it doesn't match anymore.

Refer to this documentation:

https://laravel.com/docs/4.2/upgrade#upgrade-4.1.29

Solution 2 - Laravel

I had to add the remember_token to my users table migration in order for Auth::logout() to work properly.

Added remember_token to my migrations as such.

<?php

use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;

class CreateUsersTable extends Migration {

    /**
     * Run the migrations.
     *
     * @return void
     */
    public function up()
    {
        //
        Schema::create('users', function(Blueprint $table)
        {
            $table->increments('id');
            $table->string('lname', 32);
            $table->string('fname', 32);
            $table->string('username', 32);
            $table->string('email', 320);
            $table->string('remember_token', 100);
            $table->string('password', 64);

            $table->timestamps();
        });
    }

    /**
     * Reverse the migrations.
     *
     * @return void
     */
    public function down()
    {
        //
        Schema::drop('users');

    }

}

From the command-line you the have to drop the users table, then migrate/seed.

Solution 3 - Laravel

Even if this an old question, I wanted to present an option not use the token if you don't need it (e.g. have no remember me option on your site).

Instead of adding a dummy column to your users table you can just prevent Auth::logout() from setting it.

Just add this to your User model (works as of Laravel 5.6):

public function save(array $options = array()) {
    if(isset($this->remember_token))
        unset($this->remember_token);
    
    return parent::save($options);
}

This removes the 'remember_token' column just before the model gets saved and thus preventing an error to be risen because of the non-existant column.

Solution 4 - Laravel

Laravel provides a CSRF token in a hidden input it automatically adds and validates whenever a form is submitted, whether you're logged in or not. If you're using their Form builder, this is happening without you even needing to check on it.

You should check if the user is logged in on submission using the Auth facade.

Categories
Recommended Laravel Solutions
Recommended Security Solutions
Recommended Authentication Solutions
Recommended Token Solutions

Previous Solution:

Cannot convert lambda expression to type 'object' because it is not a delegate type

C#LinqLambdaDelegates

Next Solution:

How to check if a folder exists before creating it in laravel?

PhpLaravelLaravel 4

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionOnionView Question on Stackoverflow
Solution 1 - LaravelsidneydobberView Answer on Stackoverflow
Solution 2 - LaravelCyril TView Answer on Stackoverflow
Solution 3 - LaravelLinusCDEView Answer on Stackoverflow
Solution 4 - LaravelDanielMView Answer on Stackoverflow