#Log out from other devices?

I would like my users to see list of devises they are logged in (like in Google, Discord or Instagram). So, I am using Laravel 9 + Breeze + Inertia. No API routes. I really was looking for solution for 2 weeks but no ideas how it works. Everything I did is set up Redis as storage for sessions but really can't userstand how it possible to get list of all active sessions and allow user to revoke specific or all sessions. Any ideas?

keep session in database 🙂 https://laravel.com/docs/9.x/session

It's not the answer 😫

Really, I can't understand how it works. I see s:220:"a:3:{s:6:"_token";s:40:"JzUOXzEmpaGBkHqfi7q1i0uvoVFGVpoO9oERdeaQ";s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}s:50:"login_web_59ba36addc2b2f9401580f014c7f58ea4e30989d";s:36:"dffb2938-5d12-41ff-ac45-b524f7827e4b";}"; But when I modify _token in Redis and reload page, Laravel still showing that I am authorised. Wth?

When I signing in from another browser I get same record in Redis, just different _token

I am okay to lost all sessions if Redis restarted (however it allows to make backups, so it is not a big deal), just can't afford to run so much database queries

it is the answer. you should use db handler and in migration add custom column like 'device' . you can get device using for instance https://github.com/WhichBrowser/Parser-PHP from useragent and whe you implement custom session handler https://laravel.com/docs/9.x/session#implementing-the-driver just save data you need

Why can't I store user agent in database but store sessions in Redis? There is no need to access user agent or ip on each request, just when user opens Sessions page. Redis perfomance gives huge difference

you can. in that case I think you should connect somehow session id from redis to useragent stored in db, IMO using one engine (either redis or db) is just simpler. and I think this would require custom session handler as well

What is session id in redis? I can't really get it

according to code snippet you pasted I belive it's token but not sure

When I change token in redis and reload page I am still logged in

\Sesssion::getId()

as you're executing this code in the context of current user this should work, however keep in mind that guests may also see your site so that value may be null

and you also have auth()->user() that gives you an instance of current logged user (if any)

Ok, I am getting value. As I understand user has some cookie record in browser. Then this cookie is sent with request. Where is validations process happens?

I need some parameter to match between user, database and redis for each new session

it's laravel magic 😄 all the cookies are encrypted so I think if decryption process fails the user is not authenticated

I've never dig so deep, but maybe someone from laravel's core team would be able to explain how it works under the hood

So that is the question

Also using database not solving this problem

You can not log out specific session using database

Feel free to suggest anything, still looking for solutions!

I would like my users to see list of devises they are logged in (like in Google, Discord or Instagram)
This makes no sense. Do you mean you want your users to see what third-party accounts they’ve authorised for your platform?

@candid ruin No, I mean manage sessions on different devices. It was example