Securing Laravel Sessions

I am using Fority, and Sessions as the driver to secure my data in sessions.

My first question is in regards to .env & session.php in config/.

Do you edit the .env or config/session.php directly?
What is the most secure session driver? (file, cookie, database, apc, memcached, redis) etc.
Will encrypt session encrypt anything that is added to the session via put('key', 'value');?
Is strict the highest security level for Same-Site cookies?

My second question is in regards to storing a user_id to session.

I am using a API that validates user when provided a username, and passsword, the api will return a user_id, which then can be used to find that user's invoices etc.

If I store that user_id in session, will it be safe on its own, or should I use the laravel encrypter?

Snapey

4 years ago

Level 122

Only data encrypted in cookies ever leaves the server

Do you edit the .env or config/session.php directly?

Of course

What is the most secure session driver? (file, cookie, database, apc, memcached, redis) etc.

Secure in what way? All drivers are secure from external influence. They have other pros and cons, but security is not one of them. If you are concerned that the client might be able to decrypt the cookie based session, then don't use it.

Will encrypt session encrypt anything that is added to the session via put('key', 'value');?

yes if its enabled

Is strict the highest security level for Same-Site cookies?

Its the most restrictive regarding when the cookie will be sent to the server. It changes nothing about the security of the cookie itself

I am using a API that validates user when provided a username

Then if you are using an API then you will be in a stateless session, ie NO session, so NO session storage

Please or to participate in this conversation.