0

I switched to database driver for Session and migrated the table. I've noticed that even after the logout action, the value last_activity in the table keeps getting updated after every refresh, even if the user isn't logged-in anymore.

I've tried removing it from the records of the database, but once the user refreshs at the login page, it gets inserted again.

I believe I'm doing something wrong to logout the user well. I want Laravel to stop refreshing the record of the session, as it might cause issues if every logged-out user kept accessing the database with their refreshes.

I'm logging in like this:

if (Auth::attempt($request->only('email', 'password'), ($request->remember_me === "on" ? true : false))) {
            // return settings too

            if(Auth::user()->active === false){
              return response()->json(array('status' => 'failure', 'message' => "Your account isn't active!"),500);
            }

            return response()->json(
                array(
                    'status' => 'success',
                    'message' => "Login is successful!"
                ),
                200
            );
        }

I'm logging out like this:

public function logoutUser(Request $request){
      Auth::user()->tokens()->delete();
      Session::flush();
    }

It's a SPA project via Sanctum.

config/session.php

'driver' => env('SESSION_DRIVER', 'database'),
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
'encrypt' => false,
'files' => storage_path('framework/sessions'),
'connection' => env('SESSION_CONNECTION', null),
'table' => 'sessions',
'store' => env('SESSION_STORE', null),
'lottery' => [2, 100],
'cookie' => env(
    'SESSION_COOKIE',
    Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
'path' => '/',
'domain' => env('SESSION_DOMAIN', null),
'secure' => env('SESSION_SECURE_COOKIE'),
'http_only' => true,
'same_site' => 'lax',

The user access /login page, then they get redirected to /dashboard. Basically, /dashboard needs auth, otherwise, you don't need to be logged in.

I've tried using /dashboard by the path field and cleared the config, it didn't work.

** I've noticed that the session gets registered regardless if the user is logged or not, as long as the user visits the website, it gets registered. My understanding was that it happens after the user is logged, as it would be a hassle to insert a record whenever a guest visits.

My question shifts into the following: How can I prevent this behavior from happening? I want to limit the session saving on a specific path only, which is /dashboard, and I want to ignore the session tracking for unlogged users. The moment they logout, the session gets destroyed.

Jaeger
  • 1,646
  • 8
  • 27
  • 59
  • Actually, it's registering every session, even if the user is logged in/registered. – Jaeger Sep 27 '21 at 17:37
  • Could you please share the file `config/session.php`? – Thân LƯƠNG Đình Sep 28 '21 at 01:24
  • I've inserted the session config! – Jaeger Sep 28 '21 at 17:33
  • I think you're confused on what a "session" is. When your browser accesses your site, a new session is created, regardless of authentication. When you login, your session is updated to indicate that, and when you logout, the same happens. The session is representative of your browser being connected to your website, so of course `last_activity` is being updated even after logout; that is irrelevant to your user authentication. – Tim Lewis Sep 28 '21 at 17:41
  • I've understood that last night, but forgot to update the question. I'm searching for a way to avoid registering the session into the database, as it's gonna cause an issue later, when the website gets many visitors. Is there a way to make it authenticated only? – Jaeger Sep 28 '21 at 17:42
  • Nope; the database session driver will log **all sessions**, regardless of authenticated user or not; that's why there's a "nullable" `user_id` column in `sessions` table. Why do you think this will become an issue in the future? – Tim Lewis Sep 28 '21 at 18:14
  • It's a websocket project, and there's a high chance that every user would be accessing the website. It has a dashboard and also some ways for a normal end-user to access the normal website, which means at least 500K sessions. Should I switch to the default cookie approach? As i've already got he "database locked" exception due to multiple connections at the same time on session table. – Jaeger Sep 28 '21 at 18:16
  • 1
    Hmm, I see. I think you're gonna have to do some more research on handling large numbers of concurrent connections in a Laravel application. I can't say I've ever dealt with 500k connection at the same time, but I guess if you have a database lock for number of connections, that would be an issue. If you went with Cookie/File driver for session, you'd end up with 500k files in `storage/framework/sessions`, but no database lock, so _maybe_ that's a better approach? Sounds like you understand what's going on now too, so that's good – Tim Lewis Sep 28 '21 at 18:23
  • Thank you for this different perspective. Seems like I need to find a way to make it easier on the server. Many files will also provide a problem for accessing the path and also heavy to fetch. It's a better approach but not the best one, I'll have to look for best practice and see how it's properly done. If you have any idea, please do let me know! It's highly appreciated. Thank you regardless for your comments, really helpful! – Jaeger Sep 28 '21 at 18:36

0 Answers0