how to do "remember me" login option in laravel?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# How to Implement "Remember Me" Login in Laravel: A Deep Dive into Session Persistence As a senior developer working with the Laravel ecosystem, one of the most common requirements for any web application is providing a seamless and secure "Remember Me" login option. This feature allows users to stay logged in across browser sessions without needing to re-enter credentials every time. The challenge often lies not just in setting a checkbox, but correctly leveraging Laravel's session management and authentication mechanisms to persist this state securely. Many developers run into issues when trying to use the basic `Auth::attempt()` method for this purpose. Let’s break down the correct, robust way to achieve persistent logins in Laravel. ## Understanding Session vs. Persistence When a user logs in, Laravel typically manages their session data via encrypted sessions stored on the server. For standard logins, once the session expires or the browser closes, the user is logged out. The "Remember Me" feature requires extending this behavior by storing a persistent token (usually in a long-lived cookie) that signals to the application that the user should remain authenticated for a specified duration. The key to implementing "Remember Me" is ensuring that when `Auth::attempt()` succeeds with the `remember` flag set, Laravel correctly handles setting and reading these persistent tokens. ## Implementing "Remember Me" Correctly Your intuition about using the `remember` flag in `Auth::attempt()` is correct, but its success often depends on proper configuration and understanding how Laravel manages cookies. Here is a comprehensive guide on setting up the "Remember Me" functionality: ### Step 1: Ensure Session Configuration is Sound Before diving into the controller logic, ensure your session driver is configured correctly in your `config/session.php` file. For production environments, using encrypted sessions (like `file` or database drivers) is crucial for security. This foundation ensures that any data stored—including authentication tokens—is protected. ### Step 2: Modifying the Login Logic The core of the implementation happens when handling the login request in your controller. When the user checks the "Remember Me" box, you must pass the `true` flag to the authentication attempt method. Here is how you should structure your controller logic: ```php use Illuminate\Support\Facades\Auth; use Illuminate\Http\Request; use Illuminate\Support\Facades\Session; use Illuminate\Support\Facades\Redirect; class AuthController extends Controller { public function login(Request $request) { // 1. Validate input (Essential security step!) $request->validate([ 'email' => 'required|email', 'password' => 'required', 'remember' => 'boolean', // Ensure the checkbox value is captured ]); $credentials = $request->only('email', 'password'); // 2. Attempt the login, passing 'true' for remember me if (Auth::attempt($credentials, $request->boolean('remember'))) { // If successful, set a persistent session or token if necessary // Note: Laravel handles setting the cookie/session based on configuration here. Session::flash('message', array('body' => trans('login-signup.welcome'), 'type' => 'success')); return Redirect::to('/'); } else { // Handle failed login return back()->withErrors(['login' => 'Invalid credentials.']); } } } ``` **Why this works:** By passing the boolean value of the `remember` field directly to `Auth::attempt()`, you instruct Laravel's underlying authentication system to generate and set a persistent token (usually via a long-lived cookie) if the flag is true. This token remains valid even after the standard session expires, effectively creating the "Remember Me" experience. ## Best Practices for Security and Performance Implementing "Remember Me" involves balancing convenience and security. Always ensure that: 1. **Password Hashing:** You are using Laravel's built-in hashing mechanisms (like `bcrypt`), which is automatically handled when using the standard `Auth` facade, ensuring passwords are never stored in plain text. 2. **Token Expiry:** If you implement custom token storage, ensure these tokens have appropriate expiration dates and are invalidated upon logout or password changes. 3. **HTTPS:** Always enforce HTTPS for any application handling authentication credentials to prevent man-in-the-middle attacks from stealing session data or tokens. Laravel provides a solid framework for these operations, making it easier to build secure features like this. For more advanced session and cookie management within your Laravel application, exploring the official documentation at [https://laravelcompany.com](https://laravelcompany.com) is highly recommended. ##