Configuration
Laravel aims to make implementing authentication very simple. In
fact, almost everything is configured for you out of the box. The
authentication configuration file is located at
app/config/auth.php, which contains several well documented
options for tweaking the behavior of the authentication facilities.
By default, Laravel includes a User model in your
app/models directory which may be used with the default
Eloquent authentication driver. Please remember when building the Schema
for this Model to ensure that the password field is a minimum of 60
characters.
If your application is not using Eloquent, you may use the
database authentication driver which uses the Laravel query
builder.
Note: Before getting started, make sure that your
users(or equivalent) table contains a nullable, stringremember_tokencolumn of 100 characters. This column will be used to store a token for "remember me" sessions being maintained by your application. This can be done by using$table->rememberToken();in a migration.
Storing Passwords
The Laravel Hash class provides secure Bcrypt
hashing:
Hashing A Password Using Bcrypt
$password = Hash::make('secret');Verifying A Password Against A Hash
if (Hash::check('secret', $hashedPassword))
{
// The passwords match...
}Checking If A Password Needs To Be Rehashed
if (Hash::needsRehash($hashed))
{
$hashed = Hash::make('secret');
}Authenticating Users
To log a user into your application, you may use the
Auth::attempt method.
if (Auth::attempt(array('email' => $email, 'password' => $password)))
{
return Redirect::intended('dashboard');
}Take note that email is not a required option, it is
merely used for example. You should use whatever column name corresponds
to a "username" in your database. The Redirect::intended
function will redirect the user to the URL they were trying to access
before being caught by the authentication filter. A fallback URI may be
given to this method in case the intended destination is not
available.
When the attempt method is called, the
auth.attempt event will be fired.
If the authentication attempt is successful and the user is logged in,
the auth.login event will be fired as well.
Determining If A User Is Authenticated
To determine if the user is already logged into your application, you
may use the check method:
if (Auth::check())
{
// The user is logged in...
}Authenticating A User And "Remembering" Them
If you would like to provide "remember me" functionality in your
application, you may pass true as the second argument to
the attempt method, which will keep the user authenticated
indefinitely (or until they manually logout). Of course, your
users table must include the string
remember_token column, which will be used to store the
"remember me" token.
if (Auth::attempt(array('email' => $email, 'password' => $password), true))
{
// The user is being remembered...
}Note: If the attempt method returns
true, the user is considered logged into the
application.
Determining If User Authed Via Remember
If you are "remembering" user logins, you may use the
viaRemember method to determine if the user was
authenticated using the "remember me" cookie:
if (Auth::viaRemember())
{
//
}Authenticating A User With Conditions
You also may add extra conditions to the authenticating query:
if (Auth::attempt(array('email' => $email, 'password' => $password, 'active' => 1)))
{
// The user is active, not suspended, and exists.
}Note: For added protection against session fixation, the user's session ID will automatically be regenerated after authenticating.
Accessing The Logged In User
Once a user is authenticated, you may access the User model / record:
$email = Auth::user()->email;To retrieve the authenticated user's ID, you may use the
id method:
$id = Auth::id();To simply log a user into the application by their ID, use the
loginUsingId method:
Auth::loginUsingId(1);Validating User Credentials Without Login
The validate method allows you to validate a user's
credentials without actually logging them into the application:
if (Auth::validate($credentials))
{
//
}Logging A User In For A Single Request
You may also use the once method to log a user into the
application for a single request. No sessions or cookies will be
utilized.
if (Auth::once($credentials))
{
//
}Logging A User Out Of The Application
Auth::logout();Manually Logging In Users
If you need to log an existing user instance into your application,
you may simply call the login method with the instance:
$user = User::find(1);
Auth::login($user);This is equivalent to logging in a user via credentials using the
attempt method.
Protecting Routes
Route filters may be used to allow only authenticated users to access
a given route. Laravel provides the auth filter by default,
and it is defined in app/filters.php.
Protecting A Route
Route::get('profile', array('before' => 'auth', function()
{
// Only authenticated users may enter...
}));CSRF Protection
Laravel provides an easy method of protecting your application from cross-site request forgeries.
Inserting CSRF Token Into Form
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">Validate The Submitted CSRF Token
Route::post('register', array('before' => 'csrf', function()
{
return 'You gave a valid CSRF token!';
}));HTTP Basic Authentication
HTTP Basic Authentication provides a quick way to authenticate users
of your application without setting up a dedicated "login" page. To get
started, attach the auth.basic filter to your route:
Protecting A Route With HTTP Basic
Route::get('profile', array('before' => 'auth.basic', function()
{
// Only authenticated users may enter...
}));By default, the basic filter will use the
email column on the user record when authenticating. If you
wish to use another column you may pass the column name as the first
parameter to the basic method in your
app/filters.php file:
Route::filter('auth.basic', function()
{
return Auth::basic('username');
});Setting Up A Stateless HTTP Basic Filter
You may also use HTTP Basic Authentication without setting a user
identifier cookie in the session, which is particularly useful for API
authentication. To do so, define a filter that returns the
onceBasic method:
Route::filter('basic.once', function()
{
return Auth::onceBasic();
});If you are using PHP FastCGI, HTTP Basic authentication will not work
correctly by default. The following lines should be added to your
.htaccess file:
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]Password Reminders & Reset
Model & Table
Most web applications provide a way for users to reset their
forgotten passwords. Rather than forcing you to re-implement this on
each application, Laravel provides convenient methods for sending
password reminders and performing password resets. To get started,
verify that your User model implements the
Illuminate\Auth\Reminders\RemindableInterface contract. Of
course, the User model included with the framework already
implements this interface, and uses the
Illuminate\Auth\Reminders\RemindableTrait to include the
methods needed to implement the interface.
Implementing The RemindableInterface
use Illuminate\Auth\Reminders\RemindableTrait;
use Illuminate\Auth\Reminders\RemindableInterface;
class User extends Eloquent implements RemindableInterface {
use RemindableTrait;
}Generating The Reminder Table Migration
Next, a table must be created to store the password reset tokens. To
generate a migration for this table, simply execute the
auth:reminders-table Artisan command:
php artisan auth:reminders-table
php artisan migratePassword Reminder Controller
Now we're ready to generate the password reminder controller. To
automatically generate a controller, you may use the
auth:reminders-controller Artisan command, which will
create a RemindersController.php file in your
app/controllers directory.
php artisan auth:reminders-controllerThe generated controller will already have a getRemind
method that handles showing your password reminder form. All you need to
do is create a password.remind view. This view should have a basic form
with an email field. The form should POST to the
RemindersController@postRemind action.
A simple form on the password.remind view might look
like this:
<form action="{{ action('RemindersController@postRemind') }}" method="POST">
<input type="email" name="email">
<input type="submit" value="Send Reminder">
</form>In addition to getRemind, the generated controller will
already have a postRemind method that handles sending the
password reminder e-mails to your users. This method expects the
email field to be present in the POST
variables. If the reminder e-mail is successfully sent to the user, a
status message will be flashed to the session. If the
reminder fails, an error message will be flashed
instead.
Within the postRemind controller method you may modify
the message instance before it is sent to the user:
Password::remind(Input::only('email'), function($message)
{
$message->subject('Password Reminder');
});Your user will receive an e-mail with a link that points to the
getReset method of the controller. The password reminder
token, which is used to identify a given password reminder attempt, will
also be passed to the controller method. The action is already
configured to return a password.reset view which you should
build. The token will be passed to the view, and you should
place this token in a hidden form field named token. In
addition to the token, your password reset form should
contain email, password, and
password_confirmation fields. The form should POST to the
RemindersController@postReset method.
A simple form on the password.reset view might look like
this:
<form action="{{ action('RemindersController@postReset') }}" method="POST">
<input type="hidden" name="token" value="{{ $token }}">
<input type="email" name="email">
<input type="password" name="password">
<input type="password" name="password_confirmation">
<input type="submit" value="Reset Password">
</form>Finally, the postReset method is responsible for
actually changing the password in storage. In this controller action,
the Closure passed to the Password::reset method sets the
password attribute on the User and calls the
save method. Of course, this Closure is assuming your
User model is an Eloquent
model; however, you are free to change this Closure as needed to be
compatible with your application's database storage system.
If the password is successfully reset, the user will be redirected to
the root of your application. Again, you are free to change this
redirect URL. If the password reset fails, the user will be redirect
back to the reset form, and an error message will be
flashed to the session.
Password Validation
By default, the Password::reset method will verify that
the passwords match and are >= six characters. You may customize
these rules using the Password::validator method, which
accepts a Closure. Within this Closure, you may do any password
validation you wish. Note that you are not required to verify that the
passwords match, as this will be done automatically by the
framework.
Password::validator(function($credentials)
{
return strlen($credentials['password']) >= 6;
});Note: By default, password reset tokens expire after one hour. You may change this via the
reminder.expireoption of yourapp/config/auth.phpfile.
Encryption
Laravel provides facilities for strong AES encryption via the mcrypt PHP extension:
Encrypting A Value
$encrypted = Crypt::encrypt('secret');Note: Be sure to set a 16, 24, or 32 character random string in the
keyoption of theapp/config/app.phpfile. Otherwise, encrypted values will not be secure.
Decrypting A Value
$decrypted = Crypt::decrypt($encryptedValue);Setting The Cipher & Mode
You may also set the cipher and mode used by the encrypter:
Crypt::setMode('ctr');
Crypt::setCipher($cipher);Authentication Drivers
Laravel offers the database and eloquent
authentication drivers out of the box. For more information about adding
additional authentication drivers, check out the Authentication extension
documentation.