Laravel login as user without their password

David Carr

3 min read - 4th Jan, 2018

There are times you want to log in as another user to test their user permissions, you'll want to do this without knowing their password.

Typically you'll want to be in an admin area, in your overall layout file create a select menu listing all users inside of form that will post to a route. In this example, admin/users/loginas as we're using post make sure to use csrf_field() with the form.

Wrap the code inside of a check for the user you want to allow this ability to. In this example the @if ($user->id == 1) restricts this just to the user with an id of 1

@if ($user->id == 1)
    <form action='{{ url('admin/users/loginas') }}' method='post'>
    {{ csrf_field() }}

    <select name='user_id' onchange='this.form.submit()'>
        <option value="">Select</option>
        @foreach (\App\User::get() as $row)
            <option value='{{{ $row->id }}}'>{{{ $row->name }}}</option>



Once this is processed sessions will be used to store the original user id and also the cloned user id so once you're logged in as the user you can have an option to return back to your original user account.

If cloned show link to return to the original account.

Check if the session hasClonedUser is equal to 1.

Create a link with an onlick event to stop the link following its default behavior and using javascript to subject a form. The document.getElementById('cloneuser-form').submit() releates to the form with an id of cloneuser-form.

The form will post to admin/users/loginas

@if (Session::get('hasClonedUser') == 1)

    <a onclick="event.preventDefault(); document.getElementById('cloneuser-form').submit();"><span>Return</span></a>
    <form id="cloneuser-form" action="{{ url('admin/users/loginas') }}" method="post">
        {{ csrf_field() }}


A route is needed for this action:

Route::post('users/loginas', 'UsersController@loginAs');

Next, in the controller create a loginAs method.

First get the user_id from the post data and assign it to a local variable called $id

Check if the session hasClonedUser is equal to 1, this check runs to look for an existing session in order to reverse the login as a user.

if the session does exist and is equal to 1 then log the original user back in by using their id stored in a session called hasClonedUser, followed by removing the session and redirecting back.

Another check is run to make sure the logged in user has an id of 1. Then store the user id in a session called hasClonedUser then logs in as the new user by passing the user id to auth()->loginUsingId($id) and then redirecting back.

public function loginAs()
    //get the id from the post
    $id = request('user_id');

    //if session exists remove it and return login to original user
    if (session()->get('hasClonedUser') == 1) {
        return redirect()->back();

    //only run for developer, clone selected user and create a cloned session
    if (auth()->user()->id == 1) {
        session()->put('hasClonedUser', auth()->user()->id);
        return redirect()->back();

This is all that is needed to be able to clone a user and use your application as them and at any time being able to return to your original login.

Add a comment

Copyright © 2006 - 2024 DC Blog - All rights reserved.