Laravel: What is "remember_token" in the "users" DB table?
Solution 1
No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Me
cookie hijacking. The value is refreshed upon login and logout. If a cookie is hijacked by a malicious person, logging out makes the hijacked cookie useless since it doesn't match anymore.
Refer to this documentation:
https://laravel.com/docs/4.2/upgrade#upgrade-4.1.29
Solution 2
I had to add the remember_token
to my users table migration in order for Auth::logout()
to work properly.
Added remember_token
to my migrations as such.
<?php
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class CreateUsersTable extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
//
Schema::create('users', function(Blueprint $table)
{
$table->increments('id');
$table->string('lname', 32);
$table->string('fname', 32);
$table->string('username', 32);
$table->string('email', 320);
$table->string('remember_token', 100);
$table->string('password', 64);
$table->timestamps();
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
//
Schema::drop('users');
}
}
From the command-line you the have to drop the users table, then migrate/seed.
Solution 3
Even if this an old question, I wanted to present an option not use the token if you don't need it (e.g. have no remember me option on your site).
Instead of adding a dummy column to your users table you can just prevent Auth::logout() from setting it.
Just add this to your User model (works as of Laravel 5.6):
public function save(array $options = array()) {
if(isset($this->remember_token))
unset($this->remember_token);
return parent::save($options);
}
This removes the 'remember_token' column just before the model gets saved and thus preventing an error to be risen because of the non-existant column.
Onion
Updated on November 10, 2020Comments
-
Onion over 3 years
Is it safe to use the
remember_token
in the users table for authenticating the user into the application?What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.
-
Onion about 10 yearsHow should I then implement an authentication system using a token? I need this to get the app running.
-
sidneydobber about 10 yearsTokens are used to reset credentials, like password reminders. For authentication you should use the Auth:: class.
-
Onion about 10 yearsI understand that, but I'm developing an API for mobile devices, therefore I need to authenticate the device using a token.
-
sidneydobber about 10 yearsA I get it, in an OAuth2.0 kind of way? I have been working on this as well, but this is pretty hard to implement. I will give you some links.
-
sidneydobber about 10 yearsThis is basic auth authentication and not save to use, even when using HTTPS (SSL) it's not recomended.
-
sidneydobber about 10 yearsI would recommend using OAuth2.0 github.com/lucadegasperi/oauth2-server-laravel! It's not easy to implement, but this is the most secure way at the moment. You should be really careful with this stuff it also depends on how sensitive the information is that your API is serving.
-
sidneydobber about 10 yearsThe token can be intercepted by a malicious person and used for API calls in behalve of the original user.
-
sidneydobber about 10 years
-
Onion about 10 yearsOne question: I'm not using FB, Twitter or any other accounts in my application. Which grant should I use if I want to authenticate a user using an email and a password in my users table?
-
sidneydobber about 10 yearsThis should work, I succesfully implemented this grant. It is not to hard to setup. oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html
-
sidneydobber about 10 yearsA friendly overview: oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html and the official overview: tools.ietf.org/html/rfc6749 hope this will help you.
-
sidneydobber about 10 yearsOAuth is simply for safely establishing cross origin authentication. Good luck and beware, do not take this lightly since you might open up your whole database for the public and not be aware of this! I spend days of reading and sandboxing pet projects and I'm still a noob! :)
-
Onion about 10 yearsThanks for the help. I still find it difficult to understand how to use oauth2 in my application - specifically the password grant. Edit: I guess I'm starting to get the hang of it.
-
sidneydobber about 10 years1. Register the user with the API (database that OAuth uses). 2. The user logs in to the app, the app sends a request for a token and gets it because the user is valid. 3. The user can do requests using the token to validate. In a nutshell. :)
-
Onion about 10 yearsI'm currently setting up a test form that I will use to authenticate the user. I've added the
grant_type
parameter (with a value ofpassword
), but the app requests aclient_id
as well. What should I use forclient_id
andclient_secret
? -
sidneydobber about 10 yearsclient_id is the username and client_secret is an extra value that can be set by the user when registering or generated by your app these are both set on the API database that OAuth uses.
-
Onion about 10 yearsHere's what I've found:
Every registered OAuth application is assigned a unique Client ID and Client Secret.
Does this mean that along with the username and password I need to send two extra parameters -client_id
andclient_secret
- both obtained after registering my application? -
sidneydobber about 10 yearsI always use postman REST client to do my testing. chrome.google.com/webstore/detail/postman-rest-client/…
-
Onion about 10 yearsThere is an
Authorization callback URL
field in the oauth application registration form. What exactly should be input here? -
sidneydobber about 10 yearsThe callback url is not mandatory, this is what happens when you login using your Twitter account, Twitnerd is a good example. You get redirected to the url you came from after successfully logging in, in that case the Twitnerd website. But this is not what you are trying to do!
-
Onion about 10 yearsBut I get the following error: 'invalid_client'. If I don't put client_id and client_secret in the form I also get errors, which tell me that the parameters are malformed. How do I solve this?
-
sidneydobber about 10 yearsYes you should put them in the form, these are used to authenticate the request, they should match a user and secret in the OAuth database.
-
Onion about 10 yearsHow do I get the client id and secret then? Generate it when the user registers?
-
sidneydobber about 10 yearsI created a chatroom to continue the conversation in the right place. chat.stackoverflow.com/rooms/51330/…
-
SnapShot almost 10 yearsJust wanted to point out a minor change - according to the [Laravel upgrade guide][laravel.com/docs/upgrade#upgrade-4.1.26] the remember_token should be 100 not 64 - so
$table->string('remember_token', 100);
-
markdwhite over 7 yearsAnd ->nullable() "you should verify that your users (or equivalent) table contains a nullable, string remember_token column of 100 characters"
-
Chhorn Elit over 5 yearswhen create new user can I put it empy?
-
sidneydobber over 5 yearsYou don’t have to do anything in get’s done for you. For testing while developing you can delete them.
-
adam almost 5 yearsthis help full in 5.2 too