SessionRevocationReason uses ConstantsTrait
Defines the standard revocation reason identifiers used to populate the `Session.revocationReason` property.
These constants provide a normalized and auditable vocabulary for describing why a session, refresh token, or authentication context has been invalidated by the system.
Typical use cases include:
- Authentication and authorization workflows
- Session lifecycle tracking
- Security audits and incident analysis
- Token revocation middleware
- User account management events
- Logout and forced sign-out flows
Example:
$session->revocationReason = SessionRevocationReason::LOGOUT ;
Tags
Table of Contents
Constants
- ADMIN_REVOKED : string = 'admin_revoked'
- Indicates that the session was revoked manually by an administrator.
- EMERGENCY_REVOKE : string = 'emergency_revoke'
- Indicates that the session was revoked as part of an emergency security response, typically triggered by an incident, a confirmed compromise, or an automated threat-mitigation workflow.
- LOGOUT : string = 'logout'
- Indicates that the session was revoked after an explicit logout action initiated by the authenticated user.
- ORPHANED : string = 'orphaned'
- Indicates that the session was revoked because it became orphaned, meaning it no longer references a valid owning entity (user, application, device, or originating authentication context).
- TOKENS_REVOKED : string = 'tokens_revoked'
- Indicates that the session was invalidated because the user's authentication tokens became globally invalid.
- USER_DELETED : string = 'user_deleted'
- Indicates that the session was revoked because the associated user account was permanently removed from the system.
- USER_DISABLED : string = 'user_disabled'
- Indicates that the session was revoked because the associated user account was disabled or suspended.
- USER_REVOKED : string = 'user_revoked'
- Indicates that the session was revoked directly by the user outside of a standard logout flow.
Constants
ADMIN_REVOKED
Indicates that the session was revoked manually by an administrator.
public
string
ADMIN_REVOKED
= 'admin_revoked'
This reason is generally used during moderation, compliance, security investigations, account recovery operations, or forensic audit procedures.
EMERGENCY_REVOKE
Indicates that the session was revoked as part of an emergency security response, typically triggered by an incident, a confirmed compromise, or an automated threat-mitigation workflow.
public
string
EMERGENCY_REVOKE
= 'emergency_revoke'
This reason is reserved for high-severity events where sessions must be terminated immediately, independently of the standard user-driven or administrative revocation flows.
Typical use cases include:
- Suspected or confirmed account takeover
- Credential leak or token exposure detected by monitoring
- Automated revocation initiated by an intrusion-detection system
- Forced global sign-out following a security breach
- Incident-response playbooks requiring immediate session kill
Unlike ADMIN_REVOKED, this revocation is not a routine moderation action but an exceptional measure, and should be surfaced accordingly in audit trails and security dashboards.
LOGOUT
Indicates that the session was revoked after an explicit logout action initiated by the authenticated user.
public
string
LOGOUT
= 'logout'
This is the standard revocation reason for voluntary sign-out operations.
ORPHANED
Indicates that the session was revoked because it became orphaned, meaning it no longer references a valid owning entity (user, application, device, or originating authentication context).
public
string
ORPHANED
= 'orphaned'
This reason is typically surfaced by background cleanup jobs or integrity checks that detect sessions whose referential links are broken — for example a session whose owner record was removed outside of the standard deletion flow, or whose originating client or device entry no longer exists.
Typical use cases include:
- Scheduled garbage-collection of dangling sessions
- Referential-integrity sweeps after a hard delete or data import
- Reconciliation between the IdP and the local session store
- Detection of sessions whose owning application was decommissioned
- Cleanup of sessions left behind by an interrupted deletion flow
Unlike USER_DELETED, which records an intentional user-deletion event, ORPHANED describes a detected dangling state without a known triggering event, and is primarily used for audit and cleanup purposes.
TOKENS_REVOKED
Indicates that the session was invalidated because the user's authentication tokens became globally invalid.
public
string
TOKENS_REVOKED
= 'tokens_revoked'
This typically occurs when the application updates the
tokensInvalidBefore cutoff timestamp on the user entity,
causing all access or refresh tokens issued before that date
to be rejected.
This reason may be surfaced by authentication middleware in
401 Unauthorized responses when an access token iat
(issued-at timestamp) predates the invalidation cutoff.
USER_DELETED
Indicates that the session was revoked because the associated user account was permanently removed from the system.
public
string
USER_DELETED
= 'user_deleted'
USER_DISABLED
Indicates that the session was revoked because the associated user account was disabled or suspended.
public
string
USER_DISABLED
= 'user_disabled'
This commonly occurs when the user's status changes from
'active' to 'disabled', preventing any further authenticated
access until the account is restored.
USER_REVOKED
Indicates that the session was revoked directly by the user outside of a standard logout flow.
public
string
USER_REVOKED
= 'user_revoked'
This reason is typically used when a user explicitly invalidates one or more active sessions from an account security interface, such as a "Sign out from other devices" or "Revoke session" action.
Unlike Logout, this revocation may target remote or previously established sessions without terminating the current authenticated context.