All Auth & Authorization lessons
Training · 🔐 Auth & Authorization

Sessions & guards

5 min read

Laravel's session guard turns "valid email + password" into a logged-in cookie session.

if (Auth::attempt(['email' => $email, 'password' => $password])) {
    $request->session()->regenerate(); // prevents session fixation
    return redirect()->intended('/dashboard');
}
return back()->withErrors(['email' => 'Bad credentials.']);

Auth::attempt hashes the supplied password and compares it to the stored hash — never compare passwords manually with ==.

Reading the user

$user = Auth::user();          // ?User
$id   = Auth::id();            // ?int
auth()->user();                // same as Auth::user()

Inside Blade: @auth … @endauth or auth()->user().

Logging out

Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();

Multiple guards

config/auth.php defines guards (default web for sessions, api for tokens). Switch with Auth::guard('api')->user().

Log in to track progress
Next: Gates & policies →