Level 80
@rynnhelded Why do you need multiple sessions in the first place? You should not be passing anything relating to user authentication in a URL.
Nov 15, 2021
2
Level 1
Using url session ID instead of cookie
Hello!
I am refactoring a from-scratch application to Laravel. The app is currently using session ID passed in the url (and a few more tests like IP, user-agent...) to identify users instead of cookies. The main idea is to be able to have multiple separate sessions simultaneously in different tabs. I'm aware this method can leads to security issue and that there are browser plugins to emulate tabs sessions isolation, but for now, I'm just trying to retrieve all the app's functionalities under Laravel.
I see that Laravel have a StartSession middleware that start the session, do things and add a cookie in the response automatically. What would be the best approach for me to implement the url session ID mechanism ? Bonus if I can preserve Laravel's simple request usage ($request->session()->put(...)).
I was thinking of disabling the StartSessionMiddleware and add my own "StartUrlSessionMiddleware" that would, for each request, looks for $_GET['PHPSESSIONID'] (or similar) and resume or start the native php session (session_start()). I suppose it would work but I won't be able to use the $request->session() method, right ? Also, if I start a new session, I would have to send to the client their session ID so they could send it back (like the StartSessionMiddleware does with "$this->addCookieToResponse($response, $session);").
I am looking forward to read your ideas :) Thanks
Level 1
@martinbean Well, it is not my app. It is an old, non-MVC, non-anything app that is running in production and I am in the process of migrating it under new up-to-day practices. But I can't change everything by myself without discussions even if I would like to.
I am preparing some presentation slides to explain the risks of session URL ID (hijacking, session fixation...) and also inherent usage problems (mobile navigation with IP refreshing regularly, etc). But if the project manager says this current "multiple sessions" is mandatory, then I would just have to implement it again, that's why I was wondering how I could do it with Laravel.
And if he uses multiple sessions just for debugging/management on his side, I'll just show him some browsers plugins and press the usage of cookies for good practices and securities issues. If you have any links or other arguments in favor of dropping session ID in url we did not discuss about, you are welcome to share them ! :)
Please or to participate in this conversation.