Laravel vs Flarum: Remember Tokens

Digitalam

Hi! I want to know, is there a reason why Flarum uses an entire table for access tokens? (And deletes them?)

From what I see, Laravel has remember tokens stores as a column in the users table. And only gets updated when the user chooses remember me and is empty otherwise. And session tokens aren't stored in the DB.

Whereas Flarum stores remember and session tokens in the access tokens table. And deletes the entire row when the user logs out.

So why does Flarum have this system instead of being similar to Laravel's? What are the pros and cons?

clarkwinkelmann

Digitalam I can't speak for the original reasons, because it's been mostly like this since before I joined the Flarum project, but I did introduce a few changes in a recent release so I think this would be a good summary.

With Flarum tokens, you can;

remember the user on multiple computers. I'm not actually sure whether Laravel can do it, but here we can control the expiration of each remember session instead of having a single global token that never expires
use the same system to authenticate the REST API and web sessions
terminate sessions remotely
show the list of active session and clients (the UI for this is still missing, but the API has finished before stable)

The con is mostly that there's one more database request required to check the user authentication. We could use a database-based session driver to skip the token table and preserve all features from above, but that would probably require customizing the Symfony session driver and/or preventing developers from switching to another driver for the session itself.

Digitalam

Alright thanks for your input Clark! 🙂