Support the ongoing development of Laravel.io →
Authentication Security Session
Last updated 2 years ago.
0

Logged user is usually stored in session :) .

Last updated 2 years ago.
0

Yes. But when I access user or check if he is logged with Auth:user A query is performed

Last updated 2 years ago.
0

The ID is stored in session - for any further details a query is executed. I don't see any major concerns with sticking it all in a session, there might be a slight risk of another account being able to view your session files if you're on a shared host where all virtual hosts share the same session path and both accounts run under the same user: http://websec.io/2012/08/24/Shared-Hosting-PHP-Session-Security.html

Last updated 2 years ago.
0

I wouldn't recommend putting the user detail in the session unless you're also willing to extend the User model (or repository if you're using one) to apply any updates persisted to the database to the session too, otherwise your application may find itself using information from the session that is out-of-date.

But even this wouldn't completely protect you, since in this multi-device world, users may interact with your application from different sources,each with their own session.

Personally, I'd just accept that one pretty lightweight DB call to guarantee that you're using the up-to-date information is a perfectly acceptable price to pay.

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

tzookb tzookb Joined 9 Feb 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.