Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
When dealing with the concept of an admin control panel of sorts, it's best to have a separate admin session table with strict expiration times and separate tokens to minimize the risk that a regular "remember me" token can get stolen.
Generally these sessions are stored in a database table with a last activity timestamp and maybe a few other pieces of information.
But my question is, what's the best way to include this token on each request, through a URL parameter like ?session=... or through a separate cookie? What are the security implications of each method?
I think that using the url is less secure and makes the url very large and the url has a limited size.
A cookie using Laravel is a better option because it gets hashed and if anything external mess with the cookie data, Laravel will discard it, of course, the cookie is stored within the client and can be accesed.
Hope it helps
Please or to participate in this conversation.