Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
attackers keep posting with empty sid header, server would keep generating new session storage and soon will be flood how should we handle this in L5?
I looked around and it seems that there is no easy way to prevent session and cookie from writing
I don't think that you can tackle this problem in Laravel (nor plain PHP) at all. The filtering should be done through DNS with a service such as Sucuri, Incapsula or CloudFlare or on server side. Maybe this serverfault thread can give you some clues.
This would be classed as a Layer 7 attack?
@foae yeah, agreed that it can't be simple handled by PHP or L5,but if we want to handle it, we should have a chance to choose not to write the session.
for example, if the sid cookie was empty or absent, we could skip write to session storage and simply return a response to tell need login
but because L5 use terminate middleware to write session, it seems that if we want to skip write, the only way is to exit brutally?
@bashy yeah i think so
Please or to participate in this conversation.