How to use remember me for multiple devices in Laravel

How to avoid being logged out when using remember me.

How does remember me work?

There is a string column in the users table which is called remember_token.

When user tries to login using username/password, then Auth:attempt is called which received the credentials, as well the info if user should be remembered:

if (! Auth::attempt($this->only('email', 'password'), $this->boolean('remember'))) {
    throw ValidationException::withMessages([
        'email' => trans('auth.failed'),

If you take a look into the framework at Illuminate/Auth/SessionGuard, then this is where attempt be called by default:

public function attempt(array $credentials = [], $remember = false)
    $this->fireAttemptEvent($credentials, $remember);

    $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);

    // If an implementation of UserInterface was returned, we'll ask the provider
    // to validate the user against the given credentials, and if they are in
    // fact valid we'll log the users into the application and return true.
    if ($this->hasValidCredentials($user, $credentials)) {
        $this->login($user, $remember);

        return true;

    // If the authentication attempt fails we will fire an event so that the user
    // may be notified of any suspicious attempts to access their account from
    // an unrecognized user. A developer may listen to this event as needed.
    $this->fireFailedEvent($user, $credentials);

    return false;

If you continue following the path of $this->login(..) you will see that it will create a new remember token

public function login(AuthenticatableContract $user, $remember = false)

    // If the user should be permanently "remembered" by the application we will
    // queue a permanent cookie that contains the encrypted copy of the user
    // identifier. We will then decrypt this later to retrieve the users.
    if ($remember) {


    // If we have an event dispatcher instance set we will fire an event so that
    // any listeners will hook into the authentication events and run actions
    // based on the login and logout events fired from the guard instances.
    $this->fireLoginEvent($user, $remember);


The method ensureRemeberTokenIsSet will update the column remember_token on the users row in the users table, if and only if the column is null. Otherwise the existing will stay.

The queueRecallerCookie method will write the remember_me token from the user in the clients cookie. If you need a refresher about how laravel session and cookies work, checkout my Medium article: How Do Laravel Sessions Work?.

Everytime a page with auth protection is called, the user() method from the Guard will be called. For the SessionGuard, it looks like this:

public function user()
        if ($this->loggedOut) {

        // If we've already retrieved the user for the current request we can just
        // return it back immediately. We do not want to fetch the user data on
        // every call to this method because that would be tremendously slow.
        if (! is_null($this->user)) {
            return $this->user;

        $id = $this->session->get($this->getName());

        // First we will try to load the user using the identifier in the session if
        // one exists. Otherwise we will check for a "remember me" cookie in this
        // request, and if one exists, attempt to retrieve the user using that.
        if (! is_null($id) && $this->user = $this->provider->retrieveById($id)) {

        // If the user is null, but we decrypt a "recaller" cookie we can attempt to
        // pull the user data on that cookie which serves as a remember cookie on
        // the application. Once we have a user we can return it to the caller.
        if (is_null($this->user) && ! is_null($recaller = $this->recaller())) {
            $this->user = $this->userFromRecaller($recaller);

            if ($this->user) {

                $this->fireLoginEvent($this->user, true);

        return $this->user;

The recaller will simply get the remember_me token from the cookie and will try to find a user in the users table who has the same token in the remember_me column. If one is found, he will be logged in.

The many device issue

It is possible to use the remember_me function from many devices. In this case, all devices have the same remember_token stored in their cookie. If you logout using $user->logout(), the remeber_token from the row in the users table will be removed. This means, the remember_me functionality will stop working for all other devices, as the there stored remember_token in the cookie won't find a match in the users table.

Calling the logout() method on the guard is the default behaviour:

public function destroy(Request $request): RedirectResponse



    return redirect('/');

There is the function logoutOtherDevices aswell, which will basically recreate a new remeber_token. This means all other devices will be logged out, but you current stays logged it.

Since Laravel 6, a new function has been introduced, callend $user->logoutCurrentDevice(). This will cleanup the cookie for the current device and logout the user, but keeps the remember_me token in the database. To use it, you would need to customize the logout method from your Auth/AuthenticatedSessionController.php. In our case, we would have to change it like this:

public function destroy(Request $request): RedirectResponse
    Auth::guard('admin')->logoutCurrentDevice(); // <---



    return redirect('/');