Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

karthick's avatar

How we fix Session Hijack and Session Fixation issue in the Laravel ?

I find my site session can be hijacked.

  1. I logged in Safari
  2. From DevTools -> Copy the Laravel_session - Coolie Value
  3. Pasted it in new browser window - on Firefox

--- without login, it hits "Myaccount" page.

How can I Prevent this

Please guide me

0 likes
7 replies
click's avatar

I've tried it once by looking at the IP & User Agent. In theory that works but in practice it is a bad idea. Especially the IP check because some users switch IP after 2 minutes they are logged in so your users won't be happy with that.

This thread should give you some more info: https://stackoverflow.com/questions/12233406/preventing-session-hijacking

And in short the conclusion of that thread is: you can't. The most important part is that they can't steal the session id of your users.

karthick's avatar

I tried it for forge.laravel.com, even I have SessionID, it didn't work on another browser

How did they achieved it ?

Any help

click's avatar

I don't know. They don't do it with user agent strings and IP's as far as I can see now. Changing my IP or my UA does not seem to log me out. So... hmm maybe in combination with another cookie? Maybe someone else can enlighten us

jlrdw's avatar

You doing a copy and paste, however with laravel setup correctly, meaning main laravel not in web folder, the stored sessions are not visible to an outsider, the sessions should be secure.

Of course you can copy and paste your own sessions.

1 like
karthick's avatar

@jlrdw what if some one stole the session from the tools like "Firewall" ??

Snapey's avatar

Only real solution is to use TLS (SSL certificate) so that the channel between the browser and the server is encrypted.

Otherwise yes, session cookie can be intercepted and used.

One reason why https is so important

supertokens's avatar

Hi, Actually, there is a very reliable way to detect session hijacking. It also doesn't give false positives / negatives unlike some of the methods that involve IP addresses and device fingerprints. This method is called "rotating refresh tokens". It basically uses two tokens (access and refresh tokens) which change over time and this changing allows to detect token theft. This method is also suggested in IETF's RFC: https://tools.ietf.org/html/rfc6749#section-10.4

If you want directions towards implementing this method please have a look at this blog post: https://supertokens.io/blog/the-best-way-to-securely-manage-user-sessions

Visit https://supertokens.io to checkout our product that does exactly what is stated above

1 like

Please or to participate in this conversation.