Laravel: What is "remember_token" in the "users" DB table?

Onion picture Onion · Apr 24, 2014 · Viewed 90.4k times · Source

Is it safe to use the remember_token in the users table for authenticating the user into the application?

What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.

Answer

sidneydobber picture sidneydobber · Apr 24, 2014

No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Me cookie hijacking. The value is refreshed upon login and logout. If a cookie is hijacked by a malicious person, logging out makes the hijacked cookie useless since it doesn't match anymore.

Refer to this documentation:

https://laravel.com/docs/4.2/upgrade#upgrade-4.1.29