I have tested the following in Laravel 4.1.27 and 5.1.11. When using the "cookie" driver to save the Laravel session, there are two issues:
- Two session cookies are created: one has the "session name" as configured in session.php, the other is named a 40-char hexadecimal string, which I think is the "session id" created by generateSessionId().
- The first session cookie can be set "secure" in session.php, but the second is always set "secure = false".
Here's an example of the two session cookies:
Cookie Name Value Secure
----------- ----- ------
my_laravel_session eyJpdi... True
711cf279cadc02d46a8ea6b989c1d25530b3d8ea eyJpdi... False
From looking at the source code, I think the first issue is that the second cookie is the "session id", and is possibly used to prevent session fixation. I think the second issue is a bug, and the easiest way to fix it is to modify CookieJar.php to force the "session id" cookie to be "secure = true".
The first issue is a potential problem for users of the Chrome browser, which does not delete session cookies by default ("Continue where I left off"), creating a situation where the amount of cookie data for the domain exceeds the web server max, causing an error. Is there a way to force the "session id" cookie to be a pre-configured (i.e., non-random) name, or maybe to put the "session id" cookie into the "session name" cookie (i.e., combine the two cookies into one)?
If the second "session id" cookie cannot be eliminated, is there a better way to make it "secure" other than change the Laravel source code in CookieJar.php?
Any suggestions on how others have handled Laravel session cookies would be appreciated.
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast