Level 104
Of course there is Cookie support:
https://laravel.com/docs/9.x/responses#attaching-cookies-to-responses
Laravel sets a Session Cookie and a XSRF-TOKEN Cookie; but you can define your own Cookie(s) as well.
1 like
May 26, 2022
10
Level 12
How to set and retrieve cookies
Hey!
My first question is: Does Laravel save any cookies out of the box?
The main point is to save something that can identify the user browser and check if the current auth user browser is the same as the saved one when doing specific actions in the website. How can I do that and what should I actually save as a cookie? How do I set and retrieve cookies?
Level 122
the default is to use session cookies for user identification
open your developer tools and look on the application tab (chrome)
Your question is not really valid since the user can only access the server as that user when presenting the same cookie that they got when logging in. They could of course open another browser and login again, now they would have two authenticated sessions
1 like
Level 12
Level 104
@Laralex cookies are encrypted (response) and decrypted (request) in the EncryptCookies middleware - so naturally the encrypted value would change every time.
Level 12
@tykus Okay, I have another question which is related to this thread. I actually want to do something like user/browser activity log. So I can make the logic to check if this user has suspicious activity. Any suggestions on how to structure that? Or any other ideas to check for suspicious activity?
Level 104
@Laralex how to structure what exactly; I don't know what constitutes suspicious activity in the context of your application; and how setting a Cookie is a potential solution?
1 like
Level 12
@tykus Suspicious activity is browsing the website from the same browser with different IPs, posting content with different IPs, changing the browser with another profile but the same IP and other stuff like that.
Level 12
@tykus Anything to suggest?
Level 104
@Laralex there are any number of ways to try to identify and mitigate suspicious activity like you describe. Assuming we are talking about authenticated users, I would consider invalidating other sessions whenever a User authenticates.
Next, Cookies and Session are not particularly useful of themselves to prevent duplicate sessions. I would consider implementing a middleware which (i) stores the current user's IP, browser/device information etc. against the auth()->id() in cache (ii) compares cached information for the authenticated user against the current request (iii) throws AuthorizationException if appropriate.
This is a most basic approach; and relies on the user being authenticated; if these are guest sessions, then all bets are off.
Level 75
posting content with different IPs
I don't follow this one, I post on laravel sometimes from doctors office while in waiting room.
Are you wanting to restrict a user to one location only?
Please or to participate in this conversation.