• Home
  • Blogs
  • How Laravel 12 Multiple Authentication Works (Behind the Scenes)

Categories

Blog Details

How Laravel 12 Multiple Authentication Works (Behind the Scenes)

Let’s break down how Laravel authentication (with Breeze and multi-auth) works internally, step-by-step — from the moment you fill out the login form until you’re redirected to the correct dashboard.

Let’s say you’re on your Laravel Breeze login page and you fill out:

Field Example
Email admin@gmail.com
Password 123456

Then you click Login.

Now, let’s walk through what happens in the backend — line by line.

Step 1: Login Form Submits to a Route

When you hit “Login”, your form sends a POST request to this route (defined in routes/auth.php):

Route::post('/login', [AuthenticatedSessionController::class, 'store']);

This means Laravel will call the store() method inside:

app/Http/Controllers/Auth/AuthenticatedSessionController.php

Step 2: The Controller Validates the Request

Inside store(), Laravel first validates and authenticates the credentials.

public function store(LoginRequest $request): RedirectResponse
{
    $request->authenticate();
    $request->session()->regenerate();
    
    ...
}

et’s understand what this means 👇

a) $request->authenticate()

This method is defined inside App\Http\Requests\Auth\LoginRequest.php.
It’s responsible for actually checking whether the email and password match any record in your database.

public function authenticate(): void
{
    $this->ensureIsNotRateLimited();

    if (! Auth::attempt($this->only('email', 'password'), $this->boolean('remember'))) {
        RateLimiter::hit($this->throttleKey());
        throw ValidationException::withMessages([
            'email' => trans('auth.failed'),
        ]);
    }

    RateLimiter::clear($this->throttleKey());
}

Let’s decode this:

Step What Happens
1 It ensures you haven’t exceeded login attempts (Laravel throttling protection).
2 It calls Auth::attempt() with your credentials.
3 Laravel checks if your email exists in the users table.
4 It verifies the hashed password using Hash::check().
5 If successful, it stores your user ID in the session.
6 You are now officially authenticated (logged in).

Step 3: Laravel Stores Your Login Session

Once you’re authenticated, this line runs:

$request->session()->regenerate();

This is important for security — it prevents session fixation attacks (where an attacker could reuse your old session ID).

Laravel then saves your user_id in session storage.

You can see this in your browser’s cookies — Laravel uses a cookie (default name laravel_session) to track the session.

Step 4: Role-Based Redirect Logic

After authentication, we redirect users based on their role (which we added earlier).

$redirect = match ($request->user()->role) {
    'admin' => 'admin/dashboard',
    'agent' => 'agent/dashboard',
    default => 'dashboard',
};

return redirect()->intended($redirect);

Here’s what happens:

Role Redirected To
Admin /admin/dashboard
Agent /agent/dashboard
User (default) /dashboard

 

So, if you log in as admin@gmail.com, you’ll be redirected to /admin/dashboard.

Step 5: Middleware Ensures Access Control

When you try to access a protected page (like /admin/dashboard), Laravel first checks the middleware.

In our routes:

Route::middleware(['auth', 'role:admin'])->group(function(){
    Route::get('/admin/dashboard', [AdminController::class, 'dashboard']);
});

Here’s what happens:

  1. The auth middleware checks whether you are logged in.

    • If not → redirects you to /login.

  2. The role:admin middleware checks your user role:

  3. if ($request->user()->role != $role) {
        return redirect('dashboard');
    }

This ensures that only users with the correct role can view that dashboard.

Step 6: Controller Loads the Dashboard

Once the middleware allows you in, Laravel runs the controller:

AdminController

public function dashboard()
{
    return view('admin.dashboard');
}

Laravel loads your Blade file (resources/views/admin/dashboard.blade.php), passing in the current authenticated user using the global auth() helper.

Inside your Blade, you can display user info like this:

<p>Welcome, {{ Auth::user()->name }}!</p>

Step 7: Session Persists Across Requests

Now that you’re logged in, Laravel keeps your session alive.
Every new request to your app includes the same session cookie, allowing Laravel to instantly recognize your user.

That’s why when you refresh /admin/dashboard, it still knows you’re the admin — no need to log in again.

Step 8: Logout Process

When you click “Logout”, Laravel calls:

Auth::guard('web')->logout();

$request->session()->invalidate();
$request->session()->regenerateToken();

Here’s what happens:

  1. The authentication session is destroyed.

  2. The session data is invalidated.

  3. A new CSRF token is generated for future requests.

You’re now safely logged out.

Summary – Complete Authentication Flow

Step Description
1 User fills login form → POST /login
2 Laravel validates credentials via LoginRequest
3 Auth::attempt() checks database and verifies password
4 Laravel stores user ID in session
5 Redirects user to role-based dashboard
6 Middleware (auth + role) checks permissions
7 Controller renders correct view
8 Session persists until logout

Visualization of the Authentication Flow

[Login Form] 
   ↓
[POST /login]
   ↓
[LoginRequest → Auth::attempt()]
   ↓
[Session Created]
   ↓
[Redirect → Role Dashboard]
   ↓
[Middleware Check]
   ↓
[Controller Loads View]
   ↓
[User Authenticated ✅]

Developer Tip

If you want to see what Laravel stores in your session during authentication, you can dump it:

dd(session()->all());

Or to check the logged-in user:

dd(Auth::user());

This is very helpful during debugging when building complex multi-auth systems.

Final Thoughts

Laravel’s authentication system (especially with Breeze) is powerful because:

  • It’s session-based and secure.

  • It’s easily customizable for role-based access.

  • It integrates seamlessly with middleware, policies, and guards.

You now understand not only how to set up multi-auth, but also how Laravel handles authentication internally — from login submission to dashboard redirection.

 

Leave A Reply

Your email address will not be published. Required fields are marked

Ahmad

Ahmad Raza

Hi, I'm Ahmad Raza — a passionate Web Developer and Laravel enthusiast.

Related posts

Tags