Snooping and session hijacking is impossible to completely prevent, but for maximal security this application will create a new session id at each login and will delete the old session id at each logout. So if the session was successfully hijacked, once the user logs out, the access to the hijacked session ends. This is done in the AuthenticatedSessionController.php that can be found in app/Http/Controllers/auth/AuthenticatedSessionController.php.
There the store and destroy methods handle the session ids at every log in / out.
Insecure direct object references (IDOR) is a way to obtain access to private data with user supplied inputs. In Laravel the hosting root is the /public directory, which contains an index.php file and some other files that have to be publicly accessible, like JS and CSS files for example. All requests are going through Laravels index.php file to the router web.php pointing to Controllers or returning the blades directly. This technique prevent IDOR attacks, which I want to demonstrate with the follwoing example:
This application has two files, from which one is stored inside the /public directory and another one in the root directory. When we now try to access the file in the /public folder by adding /IDOR_in_public.txt to our URL, we will see the text rendered in our browser. However, when we now try to reach the /IDOR.txt file in the root directory, Laravel will simply respond with a 404 error since the route is not defined in the router.
Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:
- Simple, fast routing engine.
- Powerful dependency injection container.
- Multiple back-ends for session and cache storage.
- Expressive, intuitive database ORM.
- Database agnostic schema migrations.
- Robust background job processing.
- Real-time event broadcasting.
Laravel is accessible, powerful, and provides tools required for large, robust applications.
Laravel has the most extensive and thorough documentation and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework.
If you don't feel like reading, Laracasts can help. Laracasts contains over 2000 video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library.
We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the Laravel Patreon page.
- Vehikl
- Tighten Co.
- Kirschbaum Development Group
- 64 Robots
- Cubet Techno Labs
- Cyber-Duck
- Many
- Webdock, Fast VPS Hosting
- DevSquad
- Curotec
- OP.GG
- WebReinvent
- Lendio
Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the Laravel documentation.
In order to ensure that the Laravel community is welcoming to all, please review and abide by the Code of Conduct.
If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [email protected]. All security vulnerabilities will be promptly addressed.
The Laravel framework is open-sourced software licensed under the MIT license.