StackShield

Session Configuration

Easy

Validates session security settings and configuration.

Estimated fix time: 10 minutes

What is Session Security?

Session configuration controls how Laravel manages user sessions. Improper configuration can lead to session hijacking, fixation attacks, and unauthorized access.

Security Impact

Severity: Medium to High

  • Session hijacking
  • Session fixation
  • Cross-site attacks
  • Unauthorized access
  • CSRF vulnerabilities

How to Fix

1. Configure Secure Cookies

// config/session.php
'secure' => env('SESSION_SECURE_COOKIE', true),
'http_only' => true,
'same_site' => 'lax',

# .env
SESSION_SECURE_COOKIE=true
SESSION_DOMAIN=.yourdomain.com
SESSION_DRIVER=redis  # Or database for production

2. Set Appropriate Lifetime

// config/session.php
'lifetime' => 120, // 2 hours
'expire_on_close' => false,

3. Use Database or Redis Sessions

// config/session.php
'driver' => env('SESSION_DRIVER', 'redis'),

// config/database.php
'redis' => [
    'session' => [
        'host' => env('REDIS_HOST', '127.0.0.1'),
        'password' => env('REDIS_PASSWORD'),
        'port' => env('REDIS_PORT', 6379),
        'database' => 1,
    ],
],

4. Regenerate Session on Login

// Automatically handled by Laravel, but ensure it's working:
public function login(Request $request)
{
    if (Auth::attempt($credentials)) {
        $request->session()->regenerate();
        return redirect()->intended('dashboard');
    }
}

5. Clear Session on Logout

public function logout(Request $request)
{
    Auth::logout();
    $request->session()->invalidate();
    $request->session()->regenerateToken();
    
    return redirect('/');
}

Verification Steps

  1. Check session cookie has Secure flag
  2. Verify HttpOnly is set
  3. Test SameSite attribute
  4. Confirm session regenerates on login
  5. Verify logout clears session

Complete Configuration

// config/session.php
return [
    'driver' => env('SESSION_DRIVER', 'redis'),
    'lifetime' => env('SESSION_LIFETIME', 120),
    'expire_on_close' => false,
    'encrypt' => false,
    'files' => storage_path('framework/sessions'),
    'connection' => env('SESSION_CONNECTION'),
    'table' => 'sessions',
    'store' => env('SESSION_STORE'),
    'lottery' => [2, 100],
    'cookie' => env(
        'SESSION_COOKIE',
        Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
    ),
    'path' => '/',
    'domain' => env('SESSION_DOMAIN'),
    'secure' => env('SESSION_SECURE_COOKIE', true),
    'http_only' => true,
    'same_site' => 'lax',
];

Best Practices

  • Use secure cookies in production (HTTPS)
  • Set HttpOnly to prevent JavaScript access
  • Use SameSite=lax or strict
  • Store sessions in Redis or database
  • Implement reasonable lifetime
  • Regenerate on privilege elevation
  • Clear on logout
  • Monitor for suspicious activity
  • CSRF Protection
  • JWT Token Security
  • Brute Force Protection

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

JWT Token Security

Detects weak JWT tokens (HS256, missing exp).

Medium

CSRF Protection

Verifies CSRF token implementation on forms and APIs.

Easy

Learn More