Laravel - Bind Session to User-Agent string and IP address

@milosradic And what happens if I’m browsing on my mobile on a 3G or 4G network, and my mobile provider uses rotating IP addresses between page views? I’m going to be logged out clicking around your application.

Hello,

Thanks for your reply.

The situation is kind of specific. It is the login for CMS users, and CMS will be available only from internal network (CMS will be available only from list of IP addresses) and not be available through external network (eg. 3G or 4G).

But, in CMS there are multiple user groups and if somehow one of the employees with lower privileges gets session cookie from employee with higher privileges he will be able to be authenticated as that user just by pasting that cookie value in his browser.

All of the employees will probably have same IP address, so it is not that important to bind session to IP address, but at least to bind it User-Agent so it can not be reused on another PC or different browser.

I hope you understand what i wanted to say :D

@milosradic I still don’t really think that’s secure. As surely the same browser running on similar hardware is going to have the same user agent string. Not to mention that a user agent string can be “spoofed” just as easily as a cookie’s value can be copy-pasted.

Also, I don’t know off the top of my head, but Laravel’s cookies are encrypted and I think invalid somehow if it’s stolen. Like I say, I don’t know how it does it off the top of my head.