Skip to content Skip to footer navigation
Light theme Dark theme
You are reading the Statamic 6 Alpha docs. 👀

Elevated Sessions

Elevated Sessions allow you to prompt users for their password or a verification code before being able to take certain actions.

Elevated Session prompt
Make sure you remember your password! 🔑

Once you’ve started an elevated session, you won’t be prompted for your password again until the session expires. By default, elevated sessions last for 15 minutes.

Statamic uses elevated sessions before allowing you to update your 2FA settings, edit roles or manage other users. It’s trivial to integrate elevated sessions into your own code.

JavaScript

You can use the requireElevatedSession function to ensure users are who they say they are before continuing.

When a user needs to verify themselves, a modal will be shown, prompting them to enter their password or a verification code. Once an elevated session has been established, the promise will be resolved and the code in the .then() callback will be run.

If the user closes the modal, the promise will be rejected.

<script setup>

import { requireElevatedSession } from '@statamic/cms';



function submit() {

    requireElevatedSession()

        .then(() => {

            // Your code here. The user has an elevated session.

        })

        .catch(() => {});

}

</script>

We also provide a requireElevatedSessionIf function allowing you to conditionally require elevated sessions, like this:

<script setup>

import { requireElevatedSessionIf } from '@statamic/cms';

import { ref } from 'vue';



const isEditingOwnProfile = ref(true);



function submit() {

    requireElevatedSessionIf(!isEditingOwnProfile.value)

        .then(() => {

            // Your code here. The user has an elevated session.

        })

        .catch(() => {});

}

PHP

Middleware

The easiest way to require an elevated session in PHP is by adding the RequireElevatedSession middleware to your routes.

+use Statamic\Http\Middleware\CP\RequireElevatedSession::class; 
 

 Route::get('profile', [ProfileController::class, 'index'])

+  ->middleware(RequireElevatedSession::class);

The middleware will redirect the user to a page where they can confirm their password. After that, they’ll be redirected back to your route.

Controller

You can also require an elevated session in your controller by calling the requireElevatedSession() method.

  use Statamic\Http\Controllers\CP\CpController;

  

  class ProfileController extends CpController

  {

      public function update() 

      {

          $isEditingOwnProfile = true;

          

          if (! $isEditingOwnProfile) {

 +            $this->requireElevatedSession(); 
         }

     

         // ...

     }

 }

When the user doesn’t have an elevated session, they’ll be redirected to a page where they can confirm their password. After that, they’ll be redirected back to your route.

Your controller will need to extend Statamic’s CpController in order to use the requireElevatedSession() method.