I use Laravel Framwork for all my php projects, and I am wondering if Laravel 5* store user critical information in session or cookies. I mean in server side or client side.
Related
I want to build the application in a completely stateless architecture. Can I do this with Laravel? Think of it this way. The session information of a person logging into server A is registered with server A, and when there is a new request, LB sends this request to server B, and server B does not recognize this session information. I can keep my session information in the db with redis, but instead I want to use a completely stateless structure. Honestly I'm wondering if I can do this with laravel passport on the web ui side.If you have such an example, please do not hesitate to share it.
I have 3 apps and those 2 are laravel apps and 1 is vuejs
I've tried setting up session to store session data in to the database so that I can have a shared sessions between my apps.
Things work between laravel apps, however, I have trouble when it comes to my vuejs app.
Btw, in order to proceed to any of my vue routes, I have to check first if token exists and is correct.
But since I am using laravel sessions now, I guess I need to check for cookie session id now?
and if so, where do I set the cookie session id?
Better use Laravel passport (OAuth) as a token generation for you Vue application.
on Laravel 4.2 and using Sentry 2.1, it looks like there is no way to have Sentry use the same cookie as the laravel session. Right now, the cookies for Sentry are being set for 5 years into the future by default. I don't see a way in their configs for this to change. Looking in the package code, I do see the 'forever' function, but the time is not configurable from what I can tell.
The question here is how can you maintain a user's laravel session cookie is expiring sooner than the Sentry cookie, since some features are toggled on/off in session within Laravel, and if the cookie expiration is long than the Laravel session, it will throw the system into thinking it's OK for that user to be logged in when really the Laravel session is now an entirely new session.
CodeIgniter 2 regenerates the session id on every http-call. This leads to problems with concurrent ajax calls. This makes it possible that client and server get out of sync and the session is lost. A Fix to this is not updating the session on ajax-calls (see Codeigniter session bugging out with ajax calls). But if you use CodeIgniter as an API for a single page application, where every call is ajax, this just leads to the session never being updated at all. The user just get logged out after the session timeout (default 5 minutes).
In CodeIgniter 3 they attempted to fix this by using a write lock (see https://github.com/bcit-ci/CodeIgniter/issues/3073) on session storage. Because this relies on a Database-Feature it is only possible to safely store session information in MySQL and PostgreSQL. Redis for example can not be used (see http://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-6-update-your-session-library-usage).
Finally my question is: How does Laravel handle this Problem? Laravel can use Redis for session storage. So when does laravel regenerate the session id? And if Laravel doesnt regenerate it automatically on every http request, how can this be judged in context of security aspects?
Like pstephan1187 noted, "Laravel only regenerates the session ID when you sign in and sign out". CSRF Protection is used against cross-site request forgeries, and it consists of a field that is required by default (Laravel 5) in POST, PUT and DELETE requests.
Handling this in ajax-calls is outside the functionality offered by Laravel, but can be worked around pretty easily.
For more information about Laravel sessions, see the official documentation (Which, by the way, is a very nice and easy-to-understand read).
I will be using stateless web app architecture. For authentication I will be encrypting the authenticationid and putting it in client cookie and sending it to client as described here.
But I see that when a get request is send to the server, the response contains a cookie named laravel_session. I've read that for a stateless architecture, there should be no session as otherwise it would mean that session state is stored at server.
How to remove any kind of session from laravel to make my app stateless?
Set session driver:
Laravel v5.7.0: config/session.php
Laravel v4.2.0: app/config/session.php
cookie - a cookie-based session driver where session data is encrypted in the user's cookies.
array - session data is saved in a PHP array. Take note that the array session driver does not support persistence and is usually only used in console commands and tests.