Force logout of all users in Laravel

Question

How can I force all users to be logged out in a SPA? I want it so that when I deploy a new version, all users automatically get logged out.

I tried the following, but I'm not sure if it's the safest way to do it.

php artisan key:generate

Answer 1

You can destroy all the sessions. If you use Laravel Envoy to handle deployments, you can add the following line.

rm -rf storage/framework/sessions/*

If you're using the database session driver, clearing the sessions table is easy.

DB::table('sessions')->truncate();

Answer 2

I'm updating all user's remember tokens to blank and then flushing stored session and then modifying HomeController.

     \DB::table('users')->update(array(
    'remember_token' => '',
    'logout_at' => Carbon::now()->toDateTimeString()));
    Session::flush();

Then in HomeController modify index function

    public function index()
{
    if (Auth::check()) {
        $token = Auth::user()->remember_token;
        if ($token) {
            return view('home');
        } else {
            return redirect('/logout');
        }
    } else {
        return view('home');
    }
    
}

Answer 3

//To Logout Specific user:

//$id == user id to to whom you want to logout
\DB::table('users')->where('id', $id)->update(['remember_token' => null]);
\DB::table('sessions')->where('user_id', $id)->delete();

//To Logout All Users

$sessions = glob(storage_path("framework/sessions/*"));
foreach ($sessions as $file) {
if (is_file($file))
unlink($file);
}
//$id == user id to to whom you want to logout
\DB::table('users')->update(['remember_token' => null]);
\DB::table('sessions')->truncate();

No need to use sessions table operation if you are not using database as session driver.

Answer 4

I'd like to share another way to achieve this, if the driver used is file.

This is the "pure" php way, so it could be a helper 'flush_sessions()':

$sessions = glob(storage_path("framework/sessions/*"));
foreach($sessions as $file){
  if(is_file($file))
    unlink($file);
}

It is safe to use this function? PHP will keep hidden files inside given directory (.gitignore)... so, try it out, it is safe.

It is worth to mention that if you put this inside a controller method, then your session will be restored after delete the file (apparently, Laravel will try to update the file after the request ends and if it doesn't exists, will re-create it). But all other sessions (users) will be logged out. If you run this code in php artisan tinker, for example, will not keep your own session file (because artisan runs with 'array' driver).

But, that is useful in my opinion. For example: if admin user wants to logout all users except himself.

For example: You have two sessions:

After running the function, you have only one (the user that used it):

I hope this helps someone.

Answer 5

As you can see, the SessionGuard does a few things, and they are agnostic of the type of SESSION_DRIVER you have set in your environment.

So after reading some of the discussion on forums with Taylor and some other Laravel heavy-weights about why there isn't such a simple function, perhaps the best solution would be create a post-deploy Job or Command that you could run that would simply cycle through all users, so for whatever is Session is set. I'd try something like:

\App\User::each(function ($u) {
    Auth::login($u);
    Auth::logout();
});

Answer 6

If your session data is stored in the database, you need to clear the sessions table. Running a simple SQL query will solve the problem:

DELETE FROM sessions;

If you sessions are stored in files, then as @Karl suggests, you need to delete the session files from the filesystem:

rm -rf storage/framework/sessions/*

The name of the session cookie can also be changed to force all sessions to be invalid, but this is a code change rather than clearing data. The name can be updated in the cookie key in config/session.php file. This option is NOT recommended.