What is the use of "laravel_session" cookie? - laravel

So i have created a project and right now i have to give information about every cookie that it is used. I am using laravel 5.0 and the cookies that are used by laravel are the below :
1) laravel_session
2) XSRF-TOKEN
I know about the second one, but i can't find information about the first one. Is it about knowing the current user? The project also uses socialite - facebook.
Please, if you need any further information feel free to ask and i will provide.

Internally laravel uses laravel_session to identify a session instance for a user, this can be changed by going into config/session.php and editing the cookie value

Related

Laravel: Login form "Remember Me" functionality not working

One of my website is developed in Laravel, it was working fine before. What does is I want to move website from beta.example.com to example.com so I have pointed to beta with original domain name(example.com).
The Website is working fine but all remember me functionality is not working. Now Users have to enter the password and also if they check the check box (remember me) still it does not store the password in cookies or session.
Please help me.
Thank you
You have two options:
1) Add remember_token column in your users table - this is where the token will be stored.
2) Pass true as a second parameter of Auth::attempt() to enable remember me behaviour.
If you do this, Laravel will generate a token that will be saved in users table and in a cookie.
On subsequent requests, even if session cookie is not available, user will be authenticated automatically as long as remember-me cookie is there.

Sentry Cookie not attaching

I am working on Laravel 4 application and using Sentry for authentication. I need to add Keep Me Logged In functionality into my application. I have googled around and found that passing second variable to Sentry::login($user, $remember) sets up a cookie. I have done that and can verify that it is working from the browser (Chrome). But somehow whenever I try Sentry::check() after a day it returns null for cookies. Even when the cookie is present in the browser. Can anyone point out what am I doing wrong? Same happens when I attach my custom cookie to the response.
This scenario happens on my production server. Whereas it works fine on my local server.
PS: Lifetime of the cookie is set to forever (5 Years)
After working around for sometime on the issue I was finally able to resolve the issue by creating and attaching custom cookie to the response after login. And then wrote a middleware to check for that cookie. If present then login user and continue.

Does Laravel regenerate the Session ID? (compared to CodeIgniter)

CodeIgniter 2 regenerates the session id on every http-call. This leads to problems with concurrent ajax calls. This makes it possible that client and server get out of sync and the session is lost. A Fix to this is not updating the session on ajax-calls (see Codeigniter session bugging out with ajax calls). But if you use CodeIgniter as an API for a single page application, where every call is ajax, this just leads to the session never being updated at all. The user just get logged out after the session timeout (default 5 minutes).
In CodeIgniter 3 they attempted to fix this by using a write lock (see https://github.com/bcit-ci/CodeIgniter/issues/3073) on session storage. Because this relies on a Database-Feature it is only possible to safely store session information in MySQL and PostgreSQL. Redis for example can not be used (see http://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-6-update-your-session-library-usage).
Finally my question is: How does Laravel handle this Problem? Laravel can use Redis for session storage. So when does laravel regenerate the session id? And if Laravel doesnt regenerate it automatically on every http request, how can this be judged in context of security aspects?
Like pstephan1187 noted, "Laravel only regenerates the session ID when you sign in and sign out". CSRF Protection is used against cross-site request forgeries, and it consists of a field that is required by default (Laravel 5) in POST, PUT and DELETE requests.
Handling this in ajax-calls is outside the functionality offered by Laravel, but can be worked around pretty easily.
For more information about Laravel sessions, see the official documentation (Which, by the way, is a very nice and easy-to-understand read).

Laravel 5 non persistent session

I'm just installed a fresh L5 app. I'm attempting to use database driven sessions however a new session appears to be created on each page load.
Has anyone come across this issue and managed to resolve?
"_token" value is new on each refresh.
I'm happy that the cookies have been configured correctly.
Not sure where to look next.
Any suggestions would be a huge help.
Thanks in advance
Have you ensured your session domain is set correctly? Your session domain should be the domain alone, for example domain.com, no URIs or protocols (http://), etc.
You may also want to check that SESSION_HTTPS is set to false, unless you're accessing your site over https.
If either are not set correctly sessions will not be correctly stored by the browser, so each request results in a new session.
The _token key will always be a new value for each request, this is part of the CSRF security feature.

Laravel 4: reading cookies set by javascript

If I set a cookie with javascript, how would I read it using Laravel 4?
The reason I'm asking is that the docs say:
All cookies created by the Laravel framework are encrypted and signed
with an authentication code, meaning they will be considered invalid
if they have been changed by the client.
Just use the native PHP command to retrieve cookies: $_COOKIE['cookie'])
Or perhaps you can set the cookie via an AJAX command (rather than JS doing it itself) - and have Laravel set the cookie supplied by JS on its behalf?
This link confirms setting cookies via AJAX - it will just be a variation of that.
In Laravel 5.6 (and maybe earlier versions too):
Specify the cookie name in the $except array within App\Http\Middleware\EncryptCookies.php.
It tells Laravel that those cookies aren't encrypted (and therefore don't need to be decrypted when read).
(P.S. Thanks to https://github.com/laravel/laravel/pull/460#issuecomment-377537771)

Resources