65

Is it safe to use the remember_token in the users table for authenticating the user into the application?

What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.

Improve this question

5 Answers 5

Reset to default
103

No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Me cookie hijacking. The value is refreshed upon login and logout. If a cookie is hijacked by a malicious person, logging out makes the hijacked cookie useless since it doesn't match anymore.

Refer to this documentation:

https://laravel.com/docs/4.2/upgrade#upgrade-4.1.29

Improve this answer
26
  • 1
    security.stackexchange.com/questions/988/…
    – sidneydobber
    Commented Apr 24, 2014 at 7:57
  • 1
    OAuth is simply for safely establishing cross origin authentication. Good luck and beware, do not take this lightly since you might open up your whole database for the public and not be aware of this! I spend days of reading and sandboxing pet projects and I'm still a noob! :)
    – sidneydobber
    Commented Apr 24, 2014 at 8:13
  • 1
    1. Register the user with the API (database that OAuth uses). 2. The user logs in to the app, the app sends a request for a token and gets it because the user is valid. 3. The user can do requests using the token to validate. In a nutshell. :)
    – sidneydobber
    Commented Apr 24, 2014 at 8:19
  • 1
    I always use postman REST client to do my testing. chrome.google.com/webstore/detail/postman-rest-client/…
    – sidneydobber
    Commented Apr 24, 2014 at 8:26
  • 1
    I created a chatroom to continue the conversation in the right place. chat.stackoverflow.com/rooms/51330/…
    – sidneydobber
    Commented Apr 24, 2014 at 9:03
11

I had to add the remember_token to my users table migration in order for Auth::logout() to work properly.

Added remember_token to my migrations as such.

<?php

use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;

class CreateUsersTable extends Migration {

    /**
     * Run the migrations.
     *
     * @return void
     */
    public function up()
    {
        //
        Schema::create('users', function(Blueprint $table)
        {
            $table->increments('id');
            $table->string('lname', 32);
            $table->string('fname', 32);
            $table->string('username', 32);
            $table->string('email', 320);
            $table->string('remember_token', 100);
            $table->string('password', 64);

            $table->timestamps();
        });
    }

    /**
     * Reverse the migrations.
     *
     * @return void
     */
    public function down()
    {
        //
        Schema::drop('users');

    }

}

From the command-line you the have to drop the users table, then migrate/seed.

Improve this answer
3
  • 3
    Just wanted to point out a minor change - according to the [Laravel upgrade guide][laravel.com/docs/upgrade#upgrade-4.1.26] the remember_token should be 100 not 64 - so $table->string('remember_token', 100);
    – SnapShot
    Commented Jul 8, 2014 at 22:02
  • And ->nullable() "you should verify that your users (or equivalent) table contains a nullable, string remember_token column of 100 characters"
    – markdwhite
    Commented Sep 7, 2016 at 6:45
  • The question was "What is the purpose of this token?"
    – miken32
    Commented Jan 30, 2024 at 2:12
4

Even if this an old question, I wanted to present an option not use the token if you don't need it (e.g. have no remember me option on your site).

Instead of adding a dummy column to your users table you can just prevent Auth::logout() from setting it.

Just add this to your User model (works as of Laravel 5.6):

public function save(array $options = array()) {
    if(isset($this->remember_token))
        unset($this->remember_token);

    return parent::save($options);
}

This removes the 'remember_token' column just before the model gets saved and thus preventing an error to be risen because of the non-existant column.

Improve this answer
2
  • 1
    this help full in 5.2 too
    – adam
    Commented May 21, 2019 at 6:50
  • The question was "What is the purpose of this token?"
    – miken32
    Commented Jan 30, 2024 at 2:12
0

Laravel provides a CSRF token in a hidden input it automatically adds and validates whenever a form is submitted, whether you're logged in or not. If you're using their Form builder, this is happening without you even needing to check on it.

You should check if the user is logged in on submission using the Auth facade.

Improve this answer
-1

To solve the problem of rememberToken in Logout Add functions in Auth/LoginController:

function get_guard(){
        if(Auth::guard('web')->check()){
            return "web";
        }
        elseif(Auth::guard('manager')->check()){
            return "manager";
        }
        elseif(Auth::guard('client')->check()){
            return "client";
        }
        return "web";
    }

    public function logout(){
        $guard = $this->get_guard();
        switch ($guard) {
            case 'admin': Auth::guard('admin')->logout(); break;
            case 'web' : Auth::guard('web')->logout(); break;
            default : Auth::guard('web')->logout(); break;
        }
        return redirect()->guest(route("login"));
    }
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.