Laravel Session Timeout? about eloquent-oauth HOT 7 CLOSED

Hmm that's odd. Once the very first authentication with GitHub happens, it never hits the provider again, just uses the regular User instance that's registered with the Auth class. I would be really surprised if the problem was related to this package, as all it eventually does is call Auth::login with a user ID and let Laravel handle everything after that.

If you look at the source for the Laravel Guard class, it looks impossible for Auth::check() to return true if the user is null:

    public function check()
    {
        return ! is_null($this->user());
    }

Can you confirm for sure that Auth::check() is coming back true? If so that means Auth::user() is not null... You might want to try adding some debug statements in the Guard class to figure out what's up.

from eloquent-oauth.

Ack! You're absolutely right, it is my code of course. I went through and traced function calls on my page, and I was trying to access Auth::user() without doing Auth::check() first. Sorry about the false alarm. :)

from eloquent-oauth.

Just as a point of clarification: this means that Laravel still dictates the timeout, even though GitHub doesn't consider the user timed out?

What tripped up my thought process on debugging this was that I expected no timeout, as the GitHub login doesn't time out unless you log off explicitly.

Is there a way to have Laravel respect that and not time out, as long as GitHub doesn't time out or get logged off?

from eloquent-oauth.

It's not quite like that, Laravel is responsible for anything to do with a user being considered "logged in". After the initial request to GitHub, GitHub is totally out of the picture, the person is never considered "logged in" from GitHubs perspective. Think of GitHub as an alternative to email and password. It's just entered once, after that it's just up to Laravel's session management to decide whether you are authenticated in the app or not. There's no "log the user out from GitHub once Laravel times out", that's just not how it works.

Hopefully that clarifies something, I feel like I didn't do a good job :/ heh

from eloquent-oauth.

No worries. :) I understand how the GitHub login works. However, here's what I'm experiencing:

• User logs in using GitHub.
• User is inactive for a while.
• Session expires in the app, and user is considered "logged out", even though they are not really logged out, because GitHub doesn't consider them logged out.

To me this feels like a discrepancy, or is this in fact desired/expected behavior, and I need to set that to work somehow differently? This is probably lack of understanding on how this package should work, more than anything. :)

from eloquent-oauth.

@mikebronner It is expected behaviour, however it is something that you also have control over.

Laravel uses a cookie to control the session. Settings for this can be found in config/sessions.php,
specifically

'lifetime' => 120,
'expire_on_close' => false,

from eloquent-oauth.

Yeah @zcwilt is spot on.

The concepts of someone being logged in to your app and being logged in to GitHub are totally separate. If someone were to login with GitHub, then go and log out of GitHub, they would still be logged in to your app until they logged out. If you play around with other sites that use a social login you'll notice the same behavior. If you tried to log the person out when they logged out of GitHub, you'd have to make a network request to GitHub on every single page load, and it doesn't really make sense anyways since you are just using GitHub as a source to prove that the user is who they say they are. Once they're authenticated the GitHub side of things is irrelevant.

Even if you did need to communicate with GitHub on the user's behalf for other stuff later on, the access token that you have is not tied to the concept of the user being logged in to GitHub.

In face there is no way to even find out if they are still logged in to GitHub, because GitHub's API doesn't provide a "is this person currently logged in?" endpoint or anything, nobody does.

So the TL;DR is don't worry about it :) Adjust your session timeout in your config to what makes sense for your app and you're good to go!

from eloquent-oauth.