Anderson Vanzo
Anderson Vanzo

Reputation: 30

When Regenerate Session ID Laravel?

I'm building an application with login and I have read about regenerating the Session ID, using $request->session()->regenerate(); but I didn't understand where should I use this, can someone explain me when and where should I regenerate the Session ID?

Upvotes: 5

Views: 2247

Answers (3)

Rj Viraj Chamara
Rj Viraj Chamara

Reputation: 11

What is Session? In Laravel, session is a parameter passing mechanism which enable us to store data across multiple requests. Session allows us to keep track of visitor across application. Laravel uses a driver based system for session management, each of the driver is used to define where the session data will be stored. Laravel framework have following in-built session drivers –

Ref: https://laravel.com/docs/5.6/session#regenerating-the-session-id

Ref:https://owasp.org/www-community/attacks/Session_fixation

Ref:https://www.w3adda.com/laravel-tutorial/laravel-session

Upvotes: 1

John Lobo
John Lobo

Reputation: 15339

If you see Default authentication then you can see for every login authentication they are regenerating session.

protected function sendLoginResponse(Request $request)
    {
        $request->session()->regenerate();

        $this->clearLoginAttempts($request);

        if ($response = $this->authenticated($request, $this->guard()->user())) {
            return $response;
        }

        return $request->wantsJson()
                    ? new JsonResponse([], 204)
                    : redirect()->intended($this->redirectPath());
    }

The main aim is to regenerating the session ID is often done in order to prevent malicious users from exploiting a session fixation attack on your application.

What is Session fixation?

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it.

As per documentation

Regenerating the session ID is often done in order to prevent malicious users from exploiting a session fixation attack on your application.

Laravel automatically regenerates the session ID during authentication if you are using one of the Laravel application starter kits or Laravel Fortify; however, if you need to manually regenerate the session ID, you may use the regenerate method:

$request->session()->regenerate(); If you need to regenerate the session ID and remove all data from the session in a single statement, you may use the invalidate method:

$request->session()->invalidate();

Ref:https://laravel.com/docs/8.x/session

Ref:https://owasp.org/www-community/attacks/Session_fixation

Upvotes: 3

shalini
shalini

Reputation: 1300

https://laravel.com/docs/5.6/session#regenerating-the-session-id

As said in documentation ,there is no need to regenerate session id if using built in LoginController framework does that part.

If you are using custom code , when password/username are validated success then you can manually generate session id by calling $request->session()->regenerate()

Upvotes: 1

Related Questions