Where is my session? How does Laravel handle magic with login?

Tram Ho

1. Set the problem

Laravel is currently the most used PHP framework thanks to its ease of use, built in MVC model, built-in features, security features …. And surely when working with Laravel, almost Everyone has been through the login function.

Have you ever gone to Laravel’s core to see how they compared email , password in the database, and created SESSION?

When coding, you only need to pass params such as email and password to the attempt() function of Facade Auth , like this:

Surely when working with pure PHP, you still need to set SESSION for it, like this:

For example, okay  So, we’ll try to find out what Laravel has hidden inside its login mechanism

2. tinkering

A quick glance at the config section will reveal a config/auth.php file

Laravel’s Authentication authentication system is built on two core components – guard and provider.


Guard you understand as a way to provide the logic used to authenticate users. In Laravel, we often use session guard or token guard. The session guard maintains the user state during each request with cookies. The Token guard authenticates the user by checking the token valid for each request.

So, as you can see, guard defines the logic of authentication, and it is not necessary to always authenticate by retrieving valid information from the back-end. You can deploy a guard by simply checking for the presence of a specific information in the request’s headers and authenticating the user based on that.


If Guards supports the logical definition for authentication, Providers retrieve the user data from the back-end. If guard requires the user to be valid with the back-end storage, then the user access implementation will be done by the providers supports users to access Eloquent and Query Buider to the database. However, we can add any changes. For example, if you put the User model in the App namespace and you want to put in the AppModel namespace, we will change providers in app / auth.php file as follows:

In this article, we will see how laravel handles login and save the session, so in our web guards to configure the driver as a session , we will focus on the vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php .

As mentioned at the beginning of the article when doing the login function, we only need to pass params to the attempt() function, the laravel will handle it for us, so look for the attempt() function in the SessionGuard class to see how it works.

This is the function we need:

$this->fireAttemptEvent($credentials, $remember); This segment will be executed when there is an event

Next, it will retrieve the user information with the params information passed to $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);

When it calls the retrieveByCredentials() function in IlluminateContractsAuthUserProvider , we come here to see what this function does.

When you know the UserProvider is just interface (yaoming), then you continue to see the vendor/laravel/framework/src/Illuminate/Auth/EloquentUserProvider.php implements UserProvider and also know what the retrieveByCredentials function will do, and here as a result of it

Thus the retrieveByCredentials function is to handle accessing user information with the information transmitted.

Next in the attempt() function, if the user returns null , the authentication fails, it will return false user returns:

It will authenticate the user based on the given information, and if true will call the login() function with the parameter passed as user and remember

Then we look again at the login() function will do?

The updateSession() function will call the put() and migrate() in the vendor/laravel/framework/src/Illuminate/Session/Store.php , at this time the put function will generate the key => value pair in the session with the key being $this->getName() and the key is $id , the key value will be unique.

The migrate function will generate a session with a length of 40 characters, you can go to storage/framework/sessions count if the long session is exactly 40 characters long.

In short, the updateSesssion() function will create or update the session for us with a session length of 40 characters.

When the user clicks on remember then

The ensureRememberTokenIsSet() function will check to see if the user has remember_token , otherwise it will generate a remember_token stored corresponding to the user

The queueRecallerCookie() function will return the cookie to the user.


  • Get the head, so I shared how Laravel does the magic how it handles logging, saving sessions and remember_me function.
  • Whatever it is, it is built from pure PHP so when you use any function of the framework, you should be curious about how it is to learn how they are so super.
  • Hopefully the next article will also explore some of the next good part of Laravel
Share the news now

Source : Viblo