Skip to content
Get started with PHP and Laravel faster than ever using Laravel Herd.
Join us in Dallas, TX! Tickets are now available for Laracon US.
Let's go to India! Tickets are now available for Laracon IN.
Let's go to Europe! Tickets are now available for Laracon EU.
Let's go down under! Tickets are now available for Laracon AU.
Servers with PHP 8.3 are now available for provisioning via Laravel Forge.
Deploy Laravel with the infinite scale of serverless using Laravel Vapor.
How's your health? Check your application's vital signs using Laravel Pulse.
Incoming transmission received. Laravel Reverb is now available!
Take your administration backend to another dimension with Laravel Nova.
Laravel is hiring! Help us build the future of Laravel.
Preface
●
Introduction
●
Quickstart
●
Release Notes
●
Upgrade Guide
●
Contribution Guide
Getting Started
●
Installation
●
Configuration
●
Homestead
●
Request Lifecycle
●
Routing
●
Requests & Input
●
Views & Responses
●
Controllers
●
Errors & Logging
Learning More
●
Authentication
●
Billing
●
Cache
●
Core Extension
●
Events
●
Facades
●
Forms & HTML
●
Helpers
●
IoC Container
●
Localization
●
Mail
●
Package Development
●
Pagination
●
Queues
●
Security
●
Session
●
SSH
●
Templates
●
Unit Testing
●
Validation
Database
●
Basic Usage
●
Query Builder
●
Eloquent ORM
●
Schema Builder
●
Migrations & Seeding
●
Redis
Artisan CLI
●
Overview
●
Development
Laravel Forge: create and manage PHP 8 servers. Deploy your Laravel applications in seconds. Sign up now!.
Laravel Vapor: experience extreme scale on a dedicated serverless platform for Laravel. Sign up now!.
Laravel Nova: The next generation of Nova is now available.
Laravel Pulse: How's your health? Check your application's vital signs using Laravel Pulse.
Laravel Reverb: You can easily build dynamic, real-time Laravel applications using WebSockets. Laravel Reverb is now available!
Preface
●
Introduction
●
Quickstart
●
Release Notes
●
Upgrade Guide
●
Contribution Guide
Getting Started
●
Installation
●
Configuration
●
Homestead
●
Request Lifecycle
●
Routing
●
Requests & Input
●
Views & Responses
●
Controllers
●
Errors & Logging
Learning More
●
Authentication
●
Billing
●
Cache
●
Core Extension
●
Events
●
Facades
●
Forms & HTML
●
Helpers
●
IoC Container
●
Localization
●
Mail
●
Package Development
●
Pagination
●
Queues
●
Security
●
Session
●
SSH
●
Templates
●
Unit Testing
●
Validation
Database
●
Basic Usage
●
Query Builder
●
Eloquent ORM
●
Schema Builder
●
Migrations & Seeding
●
Redis
Artisan CLI
●
Overview
●
Development
WARNING You're browsing the documentation for an old version of Laravel.
Consider upgrading your project to Laravel 11.x.
Security
●
Configuration
●
Storing Passwords
●
Authenticating Users
●
Manually Logging In Users
●
Protecting Routes
●
HTTP Basic Authentication
●
Password Reminders & Reset
●
Encryption
●
Authentication Drivers
Configuration
Laravel aims to make implementing authentication very simple. In fact, almost everything is configured for you out of the box. The authentication configuration file is located at app/config/au
th.php
, which contains several well documented options for tweaking the behavior of the authentication facilities.
By default, Laravel includes a U
ser
model in your app/models
directory which may be used with the default Eloquent authentication driver. Please remember when building the Schema for this Model to ensure that the password field is a minimum of 60 characters.
If your application is not using Eloquent, you may use the datab
ase
authentication driver which uses the Laravel query builder.
Before getting started, make sure that your users
(or equivalent) table contains a nullable, string remember_token
column of 100 characters. This column will be used to store a token for "remember me" sessions being maintained by your application. This can be done by using $table->remembe
rToken();
in a migration.
Storing Passwords
The Laravel Hash
class provides secure Bcrypt hashing:
Hashing A Password Using Bcrypt
$password = Hash::make('secret');
Verifying A Password Against A Hash
if (Hash::check('secret', $hashedPassword))
{
// The passwords match...
}
Checking If A Password Needs To Be Rehashed
if (Hash::needsRehash($hashed))
{
$hashed = Hash::make('secret');
}
Authenticating Users
To log a user into your application, you may use the Auth::attem
pt
method.
if (Auth::attempt(array('email' => $email, 'password' => $password)))
{
return Redirect::intended('dashboard');
}
Take note that email
is not a required option, it is merely used for example. You should use whatever column name corresponds to a "username" in your database. The Redirect::intended
function will redirect the user to the URL they were trying to access before being caught by the authentication filter. A fallback URI may be given to this method in case the intended destination is not available.
When the attempt
method is called, the auth.attempt
event will be fired. If the authentication attempt is successful and the user is logged in, the auth.login
event will be fired as well.
Determining If A User Is Authenticated
To determine if the user is already logged into your application, you may use the check
method:
if (Auth::check())
{
// The user is logged in...
}
Authenticating A User And "Remembering" Them
If you would like to provide "remember me" functionality in your application, you may pass true
as the second argument to the at
tempt
method, which will keep the user authenticated indefinitely (or until they manually logout). Of course, your users
table must include the string remember_t
oken
column, which will be used to store the "remember me" token.
if (Auth::attempt(array('email' => $email, 'password' => $password), true))
{
// The user is being remembered...
}
Note: If the attempt
method returns true
, the user is considered logged into the application.
Determining If User Authed Via Remember
If you are "remembering" user logins, you may use the viaRemembe
r
method to determine if the user was authenticated using the "remember me" cookie:
if (Auth::viaRemember())
{
//
}
Authenticating A User With Conditions
You also may add extra conditions to the authenticating query:
if (Auth::attempt(array('email' => $email, 'password' => $password, 'active' => 1)))
{
// The user is active, not suspended, and exists.
}
For added protection against session fixation, the user's session ID will automatically be regenerated after authenticating.
Accessing The Logged In User
Once a user is authenticated, you may access the User model / record:
$email = Auth::user()->email;
To retrieve the authenticated user's ID, you may use the id
method:
$id = Auth::id();
To simply log a user into the application by their ID, use the l
oginUsingId
method:
Auth::loginUsingId(1);
Validating User Credentials Without Login
The validate
method allows you to validate a user's credentials without actually logging them into the application:
if (Auth::validate($credentials))
{
//
}
Logging A User In For A Single Request
You may also use the once
method to log a user into the application for a single request. No sessions or cookies will be utilized.
if (Auth::once($credentials))
{
//
}
Logging A User Out Of The Application
Auth::logout();
Manually Logging In Users
If you need to log an existing user instance into your application, you may simply call the logi
n
method with the instance:
$user = User::find(1);
Auth::login($user);
This is equivalent to logging in a user via credentials using the attempt
method.
Protecting Routes
Route filters may be used to allow only authenticated users to access a given route. Laravel provides the auth
filter by default, and it is defined in app/filter
s.php
.
Protecting A Route
Route::get('profile', array('before' => 'auth', function()
{
// Only authenticated users may enter...
}));
CSRF Protection
Laravel provides an easy method of protecting your application from cross-site request forgeries.
Inserting CSRF Token Into Form
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
Validate The Submitted CSRF Token
Route::post('register', array('before' => 'csrf', function()
{
return 'You gave a valid CSRF token!';
}));
HTTP Basic Authentication
HTTP Basic Authentication provides a quick way to authenticate users of your application without setting up a dedicated "login" page. To get started, attach the auth.basic
filter to your route:
Protecting A Route With HTTP Basic
Route::get('profile', array('before' => 'auth.basic', function()
{
// Only authenticated users may enter...
}));
By default, the basic
filter will use the email
column on the user record when authenticating. If you wish to use another column you may pass the column name as the first parameter to the basi
c
method in your app/filters.php
file:
Route::filter('auth.basic', function()
{
return Auth::basic('username');
});
Setting Up A Stateless HTTP Basic Filter
You may also use HTTP Basic Authentication without setting a user identifier cookie in the session, which is particularly useful for API authentication. To do so, define a filter that returns the onceBasic
method:
Route::filter('basic.once', function()
{
return Auth::onceBasic();
});
If you are using PHP FastCGI, HTTP Basic authentication will not work correctly by default. The following lines should be added to your .htaccess
file:
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Password Reminders & Reset
Model & Table
Most web applications provide a way for users to reset their forgotten passwords. Rather than forcing you to re-implement this on each application, Laravel provides convenient methods for sending password reminders and performing password resets. To get started, verify that your User
model implements the Illuminate\Aut
h\Reminders\RemindableInterface
contract. Of course, the User
model included with the framework already implements this interface, and uses the Illuminate\Auth\
Reminders\RemindableTrait
to include the methods needed to implement the interface.
Implementing The RemindableInterface
use Illuminate\Auth\Reminders\RemindableTrait;
use Illuminate\Auth\Reminders\RemindableInterface;
class User extends Eloquent implements RemindableInterface {
use RemindableTrait;
}
Generating The Reminder Table Migration
Next, a table must be created to store the password reset tokens. To generate a migration for this table, simply execute the auth
:reminders-table
Artisan command:
php artisan auth:reminders-table
php artisan migrate
Password Reminder Controller
Now we're ready to generate the password reminder controller. To automatically generate a controller, you may use the auth:remin
ders-controller
Artisan command, which will create a RemindersCo
ntroller.php
file in your app/co
ntrollers
directory.
php artisan auth:reminders-controller
The generated controller will already have a getRemind
method that handles showing your password reminder form. All you need to do is create a password.remind
Template by creating a file remin
d.blade.php
in the app/views/pas
sword/
directory.
This view should have a basic form with an emai
l
field. The form should POST to the RemindersController@postRem
ind
action.
A simple form on the password.re
mind
view might look like this:
<form action="{{ action('RemindersController@postRemind') }}" method="POST">
<input type="email" name="email">
<input type="submit" value="Send Reminder">
</form>
In addition to getRemind
, the generated controller will already have a postRemind
method that handles sending the password reminder e-mails to your users. This method expects the email
field to be present in the POST
variables. If the reminder e-mail is successfully sent to the user, a s
tatus
message will be flashed to the session. If the reminder fails, an error
message will be flashed instead.
Within the postRemind
controller method you may modify the message instance before it is sent to the user:
Password::remind(Input::only('email'), function($message)
{
$message->subject('Password Reminder');
});
Your user will receive an e-mail with a link that points to the getReset
method of the controller. The password reminder token, which is used to identify a given password reminder attempt, will also be passed to the controller method. The action is already configured to return a password.
reset
template which you should build. The token
will be passed to the view, and you should place this token in a hidden form field named token
. In addition to the token
, your password reset form should contain email
, passwo
rd
, and password_confirmation
fields. The form should POST to the RemindersController@postReset
method.
A simple form on the password.re
set
view might look like this:
<form action="{{ action('RemindersController@postReset') }}" method="POST">
<input type="hidden" name="token" value="{{ $token }}">
<input type="email" name="email">
<input type="password" name="password">
<input type="password" name="password_confirmation">
<input type="submit" value="Reset Password">
</form>
Finally, the postReset
method is responsible for actually changing the password in storage. In this controller action, the Closure passed to the Password::reset
method sets the password
attribute on the User
and calls the sa
ve
method. Of course, this Closure is assuming your User
model is an Eloquent model; however, you are free to change this Closure as needed to be compatible with your application's database storage system.
If the password is successfully reset, the user will be redirected to the root of your application. Again, you are free to change this redirect URL. If the password reset fails, the user will be redirect back to the reset form, and an error
message will be flashed to the session.
Password Validation
By default, the Password::reset
method will verify that the passwords match and are >= six characters. You may customize these rules using the Password::validat
or
method, which accepts a Closure. Within this Closure, you may do any password validation you wish. Note that you are not required to verify that the passwords match, as this will be done automatically by the framework.
Password::validator(function($credentials)
{
return strlen($credentials['password']) >= 6;
});
By default, password reset tokens expire after one hour. You may change this via the reminder.ex
pire
option of your app/config/a
uth.php
file.
Encryption
Laravel provides facilities for strong AES encryption via the mcrypt PHP extension:
Encrypting A Value
$encrypted = Crypt::encrypt('secret');
Be sure to set a 16, 24, or 32 character random string in the ke
y
option of the app/config/app.p
hp
file. Otherwise, encrypted values will not be secure.
Decrypting A Value
$decrypted = Crypt::decrypt($encryptedValue);
Setting The Cipher & Mode
You may also set the cipher and mode used by the encrypter:
Crypt::setMode('ctr');
Crypt::setCipher($cipher);
Authentication Drivers
Laravel offers the database
and eloquent
authentication drivers out of the box. For more information about adding additional authentication drivers, check out the Authentication extension documentation.
Laravel is a web application framework with expressive, elegant syntax. We believe development must
be an enjoyable and creative experience to be truly fulfilling. Laravel attempts to take the pain
out of development by easing common tasks used in most web projects.
Highlights
●
Release Notes
●
Getting Started
●
Routing
●
Blade Templates
●
Authentication
●
Authorization
●
Artisan Console
●
Database
●
Eloquent ORM
●
Testing
Resources
●
Laravel Bootcamp
●
Laracasts
●
Laravel News
●
Laracon
●
Laracon AU
●
Laracon EU
●
Laracon India
●
Larabelles
●
Careers
●
Jobs
●
Forums
●
Trademark
Partners
●
Vehikl
●
WebReinvent
●
Tighten
●
Bacancy
●
64 Robots
●
Active Logic
●
Black Airplane
●
Byte 5
●
Curotec
●
Cyber-Duck
●
DevSquad
●
Jump24
●
Kirschbaum
Ecosystem
●
Breeze
●
Cashier
●
Dusk
●
Echo
●
Envoyer
●
Forge
●
Herd
●
Horizon
●
Inertia
●
Jetstream
●
Livewire
●
Nova
●
Octane
●
Pennant
●
Pint
●
Prompts
●
Pulse
●
Reverb
●
Sail
●
Sanctum
●
Scout
●
Socialite
●
Spark
●
Telescope
●
Vapor
Laravel is a Trademark of Laravel Holdings Inc.
Copyright © 2011-2024 Laravel Holdings Inc.
Code highlighting provided by Torchlight