Laravel 8 - How to redirect to Login page when not logged in

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# Laravel 8: How to Secure Routes and Redirect Users When Not Logged In As a senior developer working with the Laravel ecosystem, you frequently encounter the need to control access to your application's routes based on user authentication status. A very common requirement is ensuring that non-public pages—like dashboards, account settings, or feedback forms—are only accessible to authenticated users. If you are running into trouble redirecting unauthenticated users, don't worry; this is a classic challenge, and the solution lies in mastering Laravel's powerful middleware system. This post will walk you through the correct, idiomatic way to protect your routes in Laravel 8, specifically addressing how to ensure that all public-facing routes redirect logged-out users to the login page. ## Understanding Route Protection with Middleware The core of securing routes in Laravel is using **middleware**. Middleware functions act as a pipeline that executes logic before or after a request hits your controller. When dealing with authentication, we use the built-in `auth` middleware provided by Laravel. This middleware checks if a valid user is currently authenticated via the session or token. If the check fails, it automatically redirects the user to a specified location (usually the login page). Your initial thought about using `Route::group()` was absolutely correct; this is the perfect tool for applying a set of rules (like authentication) to multiple routes simultaneously. The confusion often lies in understanding how to properly configure that group. ## Implementing Global Authentication Guards Instead of manually checking session data within every controller method, we apply the protection at the route definition level. This keeps your controllers clean and adheres to the principle of separation of concerns. To protect a set of routes, you wrap them inside a `Route::group()` call and pass the desired middleware as an array. For authentication purposes, we use `'auth'`. Here is how you apply this concept to secure your application: ```php // In web.php Route::group(['middleware' => 'auth'], function () { Route::get('/', [HomeController::class, 'home'])->name('home'); Route::get('/account', [HomeController::class, 'account'])->name('account'); Route::get('/feedback', [HomeController::class, 'feedback'])->name('feedback'); Route::get('/help', [HomeController::class, 'help'])->name('help'); }); // Public routes remain unprotected Route::post('authenticate', [LoginController::class, 'doLogin'])->middleware('web'); ``` ### Why This Works Better By wrapping your protected routes with `['middleware' => 'auth']`, you instruct Laravel: "Only allow requests that have successfully passed the authentication check to reach these endpoints." If a user attempts to access `/account` without being logged in, Laravel intercepts the request and automatically redirects them to the configured login route. This is far more robust than manually checking `Auth::check()` inside every controller method. This approach aligns perfectly with modern Laravel development practices, emphasizing clean separation between routing logic and business logic—a principle highly valued by the team behind [Laravel](https://laravelcompany.com). ## Handling Authentication Logic in Controllers While route grouping handles *access*, your authentication controller still needs to handle the successful login process. As you demonstrated with your `doLogin` method, once authentication is successful via `Auth::attempt()`, you then redirect the user to their desired destination (e.g., `/home`). This flow ensures that authenticated users land on the correct page immediately after a successful login attempt. ## Conclusion Mastering route protection using middleware is fundamental to building secure and scalable applications in Laravel. By leveraging `Route::group()` with the `'auth'` middleware, you establish a clean, centralized mechanism for controlling access to your application's resources. This technique ensures that your site remains secure, intuitive, and adheres to best practices, making development smoother for everyone working within the framework.