Laravel issue with loginUsingId (Manual Authentication)

Question

I am trying to implement a single signon on multiple domains. The concept is pretty simple i.e to send unique user tokens and then verify these tokens to find the user and then log him in.

Now after verifying the token and then grabbing the user, i do something like this

$loggedInUser = Auth::loginUsingId($user->id, true);

Now i have a custom middleware where it first checks for a logged in user, i.e

Auth::Check()

The above works fine for the first time. But on refresh Auth::check() is not validated. I have also tried using all different session drivers but still doesn't work.

I used a similar code on laravel 5.2, and it did work. But on laravel 5.3 its not validating on persistent requests.

Edit: Let me show you my Code I have not modified AuthServiceProvider or any other guard. I do have the user model inside a directory but i have modified the path in auth.php.

Here is the route that domain1 points to:

http://domain2.com/{{$role}}/{{$route}}/singlesignon/{{$token}}

This is then picked up by verifySingleSignOn method inside the loginController which takes in the role, route that the user came in from other domain and the token. The user is then redirected to the same routes, but on domain2. Here i can successfully recieve the user id before manually logging in.

public function verifySingleSignOn($role, $route, $token)
    {
        // Fetch Single Signon
        $userRepository = new UserRepository();
        $user = $userRepository->checkForSingleSignOnToken($token, ['id']);

        // Check if Token Exists
        if (isset($user->id) && is_int($user->id) && $user->id != 0) {

            // Manually Logging a user (Here is successfully recieve the user id)
            $loggedInUser = Auth::loginUsingId($user->id);

            if (!$loggedInUser) {
                // If User not logged in, then Throw exception
                throw new Exception('Single SignOn: User Cannot be Signed In');
            }
            $redirectTo = $role . '/' . $route;
            return redirect($redirectTo);
        } else {
            return Auth::logout();
        }
    }

Then i have this GlobalAdminAuth middleware

   // Check if logged in
    if( Auth::Check() ){
        $user = Auth::User();

        // Check if user is active and is a globaladmin
        if( !$user->isGlobalAdmin() || !$user->isActive() ){
            return redirect()->guest('login');
        }
    }else{
        return redirect()->guest('login');
    }

    return $next($request);

Now the first time everything works fine and the user moves through the middleware successfully . but the second time the else statement is triggered.

Edit: Code for checkForSingleSignOnToken

public function checkForSingleSignOnToken($token, $columns = array('*'))
{
    return User::where('single_signon', $token)->first($columns);
}

Answer 1

try

Auth::login($user);

instead of

Auth::loginUsingId($user->id, true);

Answer 2

Cookies are restricted domain-wise. Your application on domain1.com wont be able to grab cookies set by domain2.com.

You should be customizing the guard to use some other mechanism than cookies. Maybe use a token in the query parameters.

Answer 3

add this to your protected $middleware array in app\Http\Kernel.php

    \App\Http\Middleware\EncryptCookies::class,
    \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
    \Illuminate\Session\Middleware\StartSession::class,
    \Illuminate\View\Middleware\ShareErrorsFromSession::class,
    \App\Http\Middleware\VerifyCsrfToken::class

I think it has to do with an update in the framework