Introduction
Laravel makes implementing authentication very simple. In fact, almost everything is configured for you out of the box. The authentication configuration file is located at config/auth.php
, which contains several well documented options for tweaking the behavior of the authentication services.
At its core, Laravel’s authentication facilities are made up of “guards” and “providers”. Guards define how users are authenticated for each request. For example, Laravel ships with a session
guard which maintains state using session storage and cookies.
Providers define how users are retrieved from your persistent storage. Laravel ships with support for retrieving users using Eloquent and the database query builder. However, you are free to define additional providers as needed for your application.
Don’t worry if this all sounds confusing now! Many applications will never need to modify the default authentication configuration.
Database Considerations
By default, Laravel includes an App\User
Eloquent model in your app
directory. This model may be used with the default Eloquent authentication driver. If your application is not using Eloquent, you may use the database
authentication driver which uses the Laravel query builder.
When building the database schema for the App\User
model, make sure the password column is at least 60 characters in length. Maintaining the default string column length of 255 characters would be a good choice.
Also, you should verify that your users
(or equivalent) table contains a nullable, string remember_token
column of 100 characters. This column will be used to store a token for users that select the “remember me” option when logging into your application.
Authentication Quickstart
Laravel ships with several pre-built authentication controllers, which are located in the App\Http\Controllers\Auth
namespace. The RegisterController
handles new user registration, the LoginController
handles authentication, the ForgotPasswordController
handles e-mailing links for resetting passwords, and the ResetPasswordController
contains the logic to reset passwords. Each of these controllers uses a trait to include their necessary methods. For many applications, you will not need to modify these controllers at all.
Routing
Laravel’s laravel/ui
package provides a quick way to scaffold all of the routes and views you need for authentication using a few simple commands:

This command should be used on fresh applications and will install a layout view, registration and login views, as well as routes for all authentication end-points. A HomeController
will also be generated to handle post-login requests to your application’s dashboard.
Views
As mentioned in the previous section, the laravel/ui
package’s php artisan ui vue --auth
command will create all of the views you need for authentication and place them in the resources/views/auth
directory.
The ui
command will also create a resources/views/layouts
directory containing a base layout for your application. All of these views use the Bootstrap CSS framework, but you are free to customize them however you wish.
Authenticating
Now that you have routes and views setup for the included authentication controllers, you are ready to register and authenticate new users for your application! You may access your application in a browser since the authentication controllers already contain the logic (via their traits) to authenticate existing users and store new users in the database.
Path Customization
When a user is successfully authenticated, they will be redirected to the /home
URI. You can customize the post-authentication redirect location by defining a redirectTo
property on the LoginController
, RegisterController
, ResetPasswordController
, and VerificationController
:

Next, you should modify the RedirectIfAuthenticated
middleware’s handle
method to use your new URI when redirecting the user.
If the redirect path needs custom generation logic you may define a redirectTo
method instead of a redirectTo
property:

Username Customization
By default, Laravel uses the email
field for authentication. If you would like to customize this, you may define a username
method on your LoginController
:

Guard Customization
You may also customize the “guard” that is used to authenticate and register users. To get started, define a guard
method on your LoginController
, RegisterController
, and ResetPasswordController
. The method should return a guard instance:

Validation / Storage Customization
To modify the form fields that are required when a new user registers with your application, or to customize how new users are stored into your database, you may modify the RegisterController
class. This class is responsible for validating and creating new users of your application.
The validator
method of the RegisterController
contains the validation rules for new users of the application. You are free to modify this method as you wish.
The create
method of the RegisterController
is responsible for creating new App\User
records in your database using the Eloquent ORM. You are free to modify this method according to the needs of your database.
Retrieving The Authenticated User
You may access the authenticated user via the Auth
facade:

Alternatively, once a user is authenticated, you may access the authenticated user via an Illuminate\Http\Request
instance. Remember, type-hinted classes will automatically be injected into your controller methods:

Determining If The Current User Is Authenticated
To determine if the user is already logged into your application, you may use the check
method on the Auth
facade, which will return true
if the user is authenticated:

Protecting Routes
Route middleware can be used to only allow authenticated users to access a given route. Laravel ships with an auth
middleware, which is defined at Illuminate\Auth\Middleware\Authenticate
. Since this middleware is already registered in your HTTP kernel, all you need to do is attach the middleware to a route definition:

If you are using controllers, you may call the middleware
method from the controller’s constructor instead of attaching it in the route definition directly:
Redirecting Unauthenticated Users
When the auth
middleware detects an unauthorized user, it will redirect the user to the login
named route. You may modify this behavior by updating the redirectTo
function in your app/Http/Middleware/Authenticate.php
file:

Specifying A Guard
When attaching the auth
middleware to a route, you may also specify which guard should be used to authenticate the user. The guard specified should correspond to one of the keys in the guards
array of your auth.php
configuration file:

Password Confirmation
Sometimes, you may wish to require the user to confirm their password before accessing a specific area of your application. For example, you may require this before the user modifies any billing settings within the application.
To accomplish this, Laravel provides a password.confirm
middleware. Attaching the password.confirm
middleware to a route will redirect users to a screen where they need to confirm their password before they can continue:

After the user has successfully confirmed their password, the user is redirected to the route they originally tried to access. By default, after confirming their password, the user will not have to confirm their password again for three hours. You are free to customize the length of time before the user must re-confirm their password using the auth.password_timeout
configuration option.