Laravel makes authentication simple and efficient through built-in authentication scaffolding, conversation and guard mechanism, middleware protection, password reset and email verification. First, use php artisan make:auth or Breeze/Jetstream to generate basic routes, controllers and views to quickly build a login and registration interface; then use the Auth facade to process user login logic, verify the credentials and store the user ID into the session to maintain the login state; then use the auth middleware to protect the route, ensuring that only users are authorized to access specific pages; at the same time, provide complete password reset and mailbox verification functions, support token generation and email asynchronous sending; finally allow custom user providers, session drivers, redirect paths and verification logic to achieve flexible expansion.

Laravel makes authentication pretty straightforward out of the box. It provides a solid starting point for handling user login, registration, password resets, and more without needing to build everything from scratch.

Here's how it works in real use:

Built-in Authentication Scaffolding

If you're setting up a new Laravel project and need basic auth right away, you can use the built-in scaffolding:

• Run php artisan make:auth (in older versions) or use Laravel Breeze / Jetstream in newer versions.
• This sets up routes, controllers, and views for login, registration, and password reset.
• Blade templates are ready to go, so you can start with a working UI quickly.

This is super handy when you just want to get started fast without reinventing the wheel.

How User Login Actually Works

At its core, Laravel uses sessions and guards to manage authenticated users.

• The Auth facade handles most of the logic.
• When a user logs in, Laravel checks their credentials against the database using the configured guard (usually Eloquent).
• If valid, it stores the user ID in the session and keeps them logged in until they log out or the session expires.

Here's a simplified version of what happens during login:

 if (Auth::attempt(['email' => $email, 'password' => $password])) {
    // Redirect to dashboard or home
} else {
    // Show error message
}

You can customize this flow — for example, adding 2FA or checking if the user is active before logging them in.

Middleware Protections Routes

Once users are logged in, Laravel uses middleware to protect routes:

• Use auth middleware to require login:

   Route::get('/dashboard', function() {
      // Only accessible if logged in
  })->middleware('auth');

• You can also check roles or permissions by creating your own middleware or using packages like Spatie Laravel Permission .

This helps keep unauthorized users out of restricted areas without writing tons of conditional checks.

---

Password Reset and Email Verification

Laravel includes full support for password resets and email verification:

• Just run php artisan make:auth or install Breeze/Jetstream.
• It sets up routes and views for resetting passwords via email.
• For email verification, call Auth::routes(['verify' => true]) and add the MustVerifyEmail interface to your User model.

It handles token generation, expiration, and even queues emails so it doesn't block page loads.

---

Customization and Flexibility

Even though Laravel gives you a lot by default, it's easy to customize:

• Swap out Eloquent for another user provider if needed.
• Change session driver to use Redis or database instead of file-based sessions.
• Customize redirect paths after login/logout.
• Modify the way credentials are validated.

Most of the logic lives in App\Http\Controllers\Auth , so you can tweak those controllers to suit your app.

---

So yeah, Laravel handles authentication in a way that's powerful but not overly complex — great for both quick setups and deeper customization.

The above is the detailed content of How does Laravel handle authentication?. For more information, please follow other related articles on the PHP Chinese website!