Enhanced session management for Laravel applications with device tracking and remote session termination.
- 📱 Track user sessions across devices
- đź”’ Remote logout from other devices
- 🚀 Works with any session driver (database, redis, file, etc.)
- ⚡ Optimized with throttling and indexing
- 🧪 Fully tested (100% test and type coverage & PHPStan Level 9)
composer require willvincent/laravel-session-managerphp artisan vendor:publish --tag=session-manager-config
php artisan vendor:publish --tag=session-manager-langThe following steps are only required if your application is not using Laravel’s
databasesession driver.
php artisan vendor:publish --tag=session-manager-migrations
php artisan session:table # Only if the sessions table does not already exist
php artisan migrateAdd the middleware to the web middleware group:
// bootstrap/app.php
->withMiddleware(function (Middleware $middleware): void {
$middleware->web(append: [
\WillVincent\SessionManager\Http\Middleware\IndexSessionMetadata::class,
]);
})// routes/console.php
use Illuminate\Support\Facades\Schedule;
Schedule::command('session-manager:prune-sessions')
->daily();Adjust the schedule as needed. By default, the command removes session records older than Laravel’s configured session lifetime.
Optional flags:
--ttl=MINUTES— override the session lifetime--dry-run— show how many records would be deleted without deleting them
Example:
php artisan session-manager:prune-sessions --dry-runIf your application uses Laravel’s database session driver, the steps above are not required.
In this case:
- Session metadata is read directly from Laravel’s
sessionstable - Session records are already created and maintained automatically
- Laravel’s built-in session garbage collection handles expiration
Session metadata will now be tracked automatically and kept clean over time.
The package exposes a facade-first API, consistent with Laravel’s native style:
use WillVincent\SessionManager\Facades\SessionManager;Fetch all sessions for the authenticated user:
$sessions = SessionManager::getUserSessions(auth()->id());Log out all other sessions (after password confirmation):
SessionManager::logoutOtherSessions(auth()->id());Laravel provides:
Auth::logoutOtherDevices($password);Limitations of the built-in approach:
- ❌ No built-in API/UI to list sessions or devices in Laravel core (except in some starter kits)
- ❌ No or limited session metadata (IP, browser, device, location)
- ❌ Not session-aware or targetable (all-or-nothing)
- ❌ Depends on
AuthenticateSessionmiddleware
Laravel Session Manager:
- âś… Works with all native session drivers (Redis, database, file, etc.)
- âś… Lists all active sessions and devices
- âś… Allows targeted or bulk remote logout
- âś… Optional IP-based location enrichment
If you need visibility and control beyond a blind logout call, this package fills the gap.
use WillVincent\SessionManager\Facades\SessionManager;
$sessions = SessionManager::getUserSessions(auth()->id());
foreach ($sessions as $session) {
echo $session->agent->platform(); // e.g. "macOS"
echo $session->agent->browser(); // e.g. "Chrome"
echo $session->ip_address; // e.g. "192.168.1.1"
echo $session->is_current_device; // true / false
echo $session->last_active; // "2 minutes ago"
// Optional location data
echo $session->location?->labelWithConfidence(include_country: true);
}use WillVincent\SessionManager\Facades\SessionManager;
$request->validate([
'password' => ['required', 'current_password'],
]);
SessionManager::logoutOtherSessions(auth()->id());use Livewire\Component;
use WillVincent\SessionManager\Facades\SessionManager;
class SessionSettings extends Component
{
public string $password = '';
public function getSessionsProperty()
{
return SessionManager::getUserSessions(auth()->id());
}
public function logoutOtherSessions()
{
$this->validate([
'password' => ['required', 'current_password'],
]);
SessionManager::logoutOtherSessions(auth()->id());
$this->dispatch('sessions-updated');
}
public function render()
{
return view('livewire.session-settings');
}
}Most applications should use the facade. If you prefer constructor injection:
use WillVincent\SessionManager\SessionManager;
public function __construct(
private SessionManager $sessions,
) {}
$this->sessions->logoutOtherSessions($userId);The ability to list and remotely terminate sessions depends on the underlying session driver.
| Session Driver | List user sessions | Log out other sessions |
|---|---|---|
database |
âś… | âś… |
redis |
âś… | âś… |
file |
âś… | âś… |
cookie |
✅ | ❌ |
array |
❌ | ❌ |
When using the cookie session driver, session data is stored entirely client-side. Because there is no server-side
session store, remote session termination is not possible via this package alone.
If your application uses cookie-based sessions and you want to invalidate other devices, you must also call Laravel’s built-in method:
use Illuminate\Support\Facades\Auth;
Auth::logoutOtherDevices($password);This requires validating the user’s password (which you should already be doing before calling
logoutOtherSessions). Laravel will then invalidate authentication on other devices on their next request
via the AuthenticateSession middleware.
In this scenario, this package will still:
- Track session metadata
- Clean up stored session records
…but Laravel handles the actual authentication invalidation.
The array session driver stores session data in memory for the current request only.
Sessions do not persist across requests, processes, or devices.
Because of this:
- Sessions cannot be listed
- Sessions cannot be remotely terminated
- Session metadata has no meaningful lifespan
The array driver is intended for testing and local development only and is
not compatible with multi-device session management.
- PHP 8.2+
- Laravel 11.0+
- Default Laravel session table (create via
php artisan session:table) - doctrine/dbal (installs with this package, required for altering the sessions table)
geoip2/geoip2,symfony/intl, andext-intlare optional (for IP location support)
This package is MIT licensed, and free to use, fork, etc.
