Why does Session Configuration matter for Laravel security?

Failing to address session configuration can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Session Configuration issue?

This is rated as an easy fix, typically taking 10 minutes. See the full documentation above for step-by-step instructions.

Fix Laravel Session Configuration: Secure Cookies, SameSite, HttpOnly

What This Check Detects

Validates session security settings and configuration.

Full Documentation

What is Session Security?

Session configuration controls how Laravel manages user sessions. Improper configuration can lead to session hijacking, fixation attacks, and unauthorized access.

Security Impact

Severity: Medium to High

Session hijacking
Session fixation
Cross-site attacks
Unauthorized access
CSRF vulnerabilities

How to Fix

1. Configure Secure Cookies

// config/session.php
'secure' => env('SESSION_SECURE_COOKIE', true),
'http_only' => true,
'same_site' => 'lax',

# .env
SESSION_SECURE_COOKIE=true
SESSION_DOMAIN=.yourdomain.com
SESSION_DRIVER=redis  # Or database for production

2. Set Appropriate Lifetime

// config/session.php
'lifetime' => 120, // 2 hours
'expire_on_close' => false,

3. Use Database or Redis Sessions

// config/session.php
'driver' => env('SESSION_DRIVER', 'redis'),

// config/database.php
'redis' => [
    'session' => [
        'host' => env('REDIS_HOST', '127.0.0.1'),
        'password' => env('REDIS_PASSWORD'),
        'port' => env('REDIS_PORT', 6379),
        'database' => 1,
    ],
],

4. Regenerate Session on Login

// Automatically handled by Laravel, but ensure it's working:
public function login(Request $request)
{
    if (Auth::attempt($credentials)) {
        $request->session()->regenerate();
        return redirect()->intended('dashboard');
    }
}

5. Clear Session on Logout

public function logout(Request $request)
{
    Auth::logout();
    $request->session()->invalidate();
    $request->session()->regenerateToken();
    
    return redirect('/');
}

Verification Steps

Check session cookie has Secure flag
Verify HttpOnly is set
Test SameSite attribute
Confirm session regenerates on login
Verify logout clears session

Complete Configuration

// config/session.php
return [
    'driver' => env('SESSION_DRIVER', 'redis'),
    'lifetime' => env('SESSION_LIFETIME', 120),
    'expire_on_close' => false,
    'encrypt' => false,
    'files' => storage_path('framework/sessions'),
    'connection' => env('SESSION_CONNECTION'),
    'table' => 'sessions',
    'store' => env('SESSION_STORE'),
    'lottery' => [2, 100],
    'cookie' => env(
        'SESSION_COOKIE',
        Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
    ),
    'path' => '/',
    'domain' => env('SESSION_DOMAIN'),
    'secure' => env('SESSION_SECURE_COOKIE', true),
    'http_only' => true,
    'same_site' => 'lax',
];

Best Practices

Use secure cookies in production (HTTPS)
Set HttpOnly to prevent JavaScript access
Use SameSite=lax or strict
Store sessions in Redis or database
Implement reasonable lifetime
Regenerate on privilege elevation
Clear on logout
Monitor for suspicious activity

Related Issues

CSRF Protection
JWT Token Security
Brute Force Protection

Related Security Checks

JWT Token Security

Detects weak JWT tokens (HS256, missing exp).

Medium fix 30 minutes

CSRF Protection

Verifies CSRF token implementation on forms and APIs.

Easy fix 10 minutes