Laravel customized session.lifetime at user level

Question

I am overwriting session.timeout value in one of the middleware (for Laravel web app) but it doesn\'t seem to be affecting in terms of timing out a session. Tho

Answer 1

Here is what worked for me (using Laravel 5.6 or 5.5) to let a user choose session duration at login time.

Editing the lifetime of the session in Auth controller doesn't work because by then the session is already started. You need to add middleware that executes before Laravel runs its own "StartSession" middleware.

One way is to create a cookie to store the user's lifetime length preference and use that value when setting the session expiration on each request.

1. New file: app/Http/Middleware/SetSessionLength.php

namespace App\Http\Middleware;

use Illuminate\Support\Facades\Cookie;

class SetSessionLength {

    const SESSION_LIFETIME_PARAM = 'sessionLifetime';
    const SESSION_LIFETIME_DEFAULT_MINS = 5;

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, $next) {
        $lifetimeMins = Cookie::get(self::SESSION_LIFETIME_PARAM, $request->input(self::SESSION_LIFETIME_PARAM)); //https://laravel.com/api/6.x/Illuminate/Support/Facades/Cookie.html#method_get
        if ($lifetimeMins) {
            Cookie::queue(self::SESSION_LIFETIME_PARAM, $lifetimeMins, $lifetimeMins); //https://laravel.com/docs/6.x/requests#cookies
            config(['session.lifetime' => $lifetimeMins]);
        }
        return $next($request);
    }

}

2. Modify Kernel: app/Http/Kernel.php

Add \App\Http\Middleware\SetSessionLength::class, right before \Illuminate\Session\Middleware\StartSession::class,.

3. Modify Config: config/session.php

'lifetime' => env('SESSION_LIFETIME', \App\Http\Middleware\SetSessionLength::SESSION_LIFETIME_DEFAULT_MINS),

4. Modify: resources/views/auth/login.blade.php

To let the user chose their preferred number of minutes, add a dropdown of minutes, such as starting with <select name="{{\App\Http\Middleware\SetSessionLength::SESSION_LIFETIME_PARAM}}">. Otherwise, change SetSessionLength.php above not to pull from $request->input but retrieve from somewhere else, such as a database record for that user.

Answer 2

The problem occurs because the session has already started, and after that you are changing session lifetime configuration variable.

The variable needs to be changed for current request, but the user already has a session with lifetime specified.

You have to change your login method. And do following steps:

1. See if user exists in database
2. If yes, and he is user who needs longer session lifetime, run config(['session.lifetime' => 1440]);
3. log user in

I recommend using helper to change config on the fly.

config(['session.lifetime' => 1440]);

Answer 3

It seems the only way to accomplish a dynamic lifetime value, is by setting the value in middleware, before the session gets initiated. Otherwise its too late, as the application SessionHandler will have already been instantiated using the default config value.

namespace App\Http\Middleware;

class ExtendSession
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, $next)
    {
        $lifetime = 2;
        config(['session.lifetime' => $lifetime]);
        return $next($request);
    }
}

Then in the kernel.php file, add this class prior to StartSession.

\App\Http\Middleware\ExtendSession::class,
\Illuminate\Session\Middleware\StartSession::class,