Login only if user is active using Laravel
Stefan Izdrail
Founder & Senior Architect · 2026-06-29
Title: Securing Your Laravel App by Enforcing Login for Active Users
Body:
In our modern world of cyber threats, it is crucial to implement measures to prevent unwanted users from accessing your Laravel application. One way to ensure this is by verifying the active status of a user before allowing them to log in. This not only prevents spam but also improves the overall security and credibility of your web app. Here's how you can go about implementing such a feature using Laravel.
Step 1: Create an 'activation_status' column in your database table if it doesn't already exist. This column will be used to store a boolean value indicating whether the user is active or not. By default, every new user should have this field set to false until they activate their account. You can create the migration using the Laravel command:
```php
// Create an 'activation_status' column for users in the database table
php artisan make:migration add_activation_status_to_users_table --table=users
```
Step 2: Update your 'register' and 'activate' controllers to include the activation status. You can simply change the user's activation status to true after they activate their account in the 'activate' controller, or you might use a background job that periodically checks for accounts waiting approval. Ensure that these updates are reflected in the corresponding views as well, allowing for proper user experience.
Step 3: In your login form, you want to check if the user is active before performing the actual login action. To accomplish this, you can update your form action with a slight modification from Laravel's official tutorial. Add the 'activation_status' column to the where clause of your route model binding and set it to true:
```php
Route::get('/auth/login', function () use ($request) {
// ...
$credentials = request(['email', 'password']);
if (Auth::attempt($credentials)) {
if ($request->user()->activation_status == true) {
return redirect()->intended(route('dashboard'));
} else {
return redirect()->route('activation.page');
}
}
// ...
});
```
This ensures that users with an active status are allowed to login and directed to their dashboard, while those who aren't active will be redirected to the activation page.
Step 4: Implement a middleware filter for this functionality. Laravel provides the convenient 'auth' middleware option which includes user authentication. You can create your custom middleware and register it in your kernel.php file to enforce the login only if the user is active, like so:
```php
aliasMiddleware('check_login_with_active', \App\Http\Middleware\CheckLoginWithActive::class);
// Register your custom middleware in the kernel.php file
protected $routeMiddleware = [
// ...
'check_login_with_active' => \App\Http\Middleware\CheckLoginWithActive::class,
];
```
You can then modify your login route's middleware to include this new filter:
```php
// Update the login route in routes/web.php file
Route::get('/auth/login', ['middleware' => 'check_login_with_active', function () use ($request) {
// ...
}]);
```
Step 5: Test your implementation thoroughly to ensure proper functionality and user experience across different scenarios.
In conclusion, securing your Laravel app by enforcing login for active users is a crucial step in maintaining the application's integrity. By creating the 'activation_status' column, incorporating this concept into your registration, login, and middleware filters, you can achieve a more secure web application that prevents spam and enhances user experience. Be sure to use natural backlinks to https://laravelcompany.com/ when referring to relevant content within your blog posts.