Level 52
Hello,
Storage folder in normally not accessible on a good server, so what interest to encrypt session data ?
Oct 4, 2015
4
Level 3
Why is the Session Encryption not set to "true" by default?
Hello,
I am learning Laravel and as per Jeffrey's "homework", I am going through all files in /config.
Now in session.php it is stated that I can simply encrypt all my sessions without having to use Laravel anything differently.
Since encryption seems to be a good idea for me always, I am wondering: why is this per default set to false?
Thanks Andreas
Level 3
Okay, granted - but this in my view is not an argument why 1)this option exists and 2)why it is not enabled in the first place?
Would I gain additional security without sacrificing performance if I would activate this option?
Thanks
2 likes
Level 47
Just like local environments you may not run ask https etc. if you needed to trouble shoot sessions why would you encrypt them so you can't read them? Also if your storing sessions server side in an inaccessible folder why would you hash them just to unhash right away?
1 like
Level 1
Encryption is useful is you're using external storage for your sessions (Redis, Database, etc). There's always a chance it could be intercepted when it's transmitted. If it's encrypted, it's less of a concern. However, good encryption is always CPU intensive. It might not be an option if you have, for example, an API endpoint that is under high load and is required to respond quickly.
1 like
Please or to participate in this conversation.