0

I'm trying to do something similar to here, but not for an API: Fully disable cookies in Laravel 4 API

Basically, I have a login section where users can download specific files and do other stuff. Before they can download, I want them to have to enter the username & password again as an additional security (think the same way some banks will do for you to download your statements.) My standard auth is working fine. I've managed to implement Auth::onceBasic() okay, but it's remembering I'm logged in and won't ask me more than once (even on closing the browser!).

That's when I found the above link about setting the session.driver to array, but it doesn't seem to work. I've turned off my primary login so that the Auth::onceBasic() is the only authentication and it is still remembering me when I visit the page more than once.

Here's my code:

routes.php:

Route::get('downloads/{file}', 'DownloadsController@show')->before('auth.basic');

filters.php:

Route::filter('auth.basic', function()
{
    Config::set('session.driver', 'array');
    return Auth::onceBasic();
});

...and finally DownloadsController:

public function show($id)
{
    dd(Session::all());
}

my output shows the session as an array and empty, but it's still acting like it's authenticated so I'm not sure where I'm going wrong. I've tested in chrome and firefox with the same results.

Improve this question
4
  • This isn't a problem with laravel, it's just the way basic auth is designed to work. Users remain logged in until the browser is closed. stackoverflow.com/questions/18295994/… Commented Aug 11, 2014 at 1:41
  • @Jeemusu - okay, fair enough. doesn't make sense, but that seems to be the consensus from the linked question & it's linked resources. If you add an answer, will mark as solved. Thanks Commented Aug 11, 2014 at 21:17
  • 1
    Alternatively why not force the user to a separate login method every time they try to access that page. Instead of using laravels auth::attempt, create a new method to simply just check the credentials, and if it passes set a new session variable. Commented Aug 12, 2014 at 1:25
  • I'll give that a whirl. :) Commented Aug 12, 2014 at 14:10

1 Answer 1

Reset to default
3

Laravels Auth::onceBasic() uses HTTP basic authentication, which isn't designed to handle your use case. With basic authentication the user will remain logged in until the browser is closed.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Your explanation is the exact contrary of the official documentation laravel.com/docs/5.2/…. Thanks for pointing this out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.