Laravel Sessions & Middleware
Priority: P1 (HIGH)
Workflow: Secure Sessions & Add Middleware
- Set Redis driver —
SESSION_DRIVER=redisin.env; installpredis/predis. - Regenerate on login — Call
$request->session()->regenerate()after authentication. - Create security middleware — Add HSTS, CSP, X-Frame-Options headers.
- Register globally — Use
withMiddleware(fn($m) => $m->append(...))inbootstrap/app.php.
Security Headers Middleware Example
See implementation examples for security headers middleware and directory structure.
Implementation Guidelines
Session Architecture
- Drivers: Set
SESSION_DRIVER=redisin.envfor production/scaled environments. - Dependencies: Install
predis/predisand avoid file driver due to I/O lock issues at scale. - Security: Call
$request->session()->regenerate()after successful authentication to prevent session fixation. Call$request->session()->invalidate()on logout. - Access: Never access
env('SESSION_DRIVER')directly in code; always useconfig('session.driver'). Clear caches viaphp artisan config:clear.
Middleware Pipeline
- Custom Middleware: Use
php artisan make:middleware EnsureTokenIsValid. Implementhandle(Request $request, Closure $next): Response. - Registration: Register new middleware in
bootstrap/app.phpusingwithMiddleware(). - Security Headers: Standardize HSTS, CSP, X-Frame-Options, and X-Content-Type-Options in dedicated security middleware. Register as global middleware.
- Priority: Use
withMiddleware(fn($m) => $m->append(MyMiddleware::class))orprepend()for highest priority. - Performance: Avoid heavy computation in global middleware; delegate these to domain services.
Anti-Patterns
- No file session driver in production: Use Redis or Memcached instead.
- No
env()for session config: Useconfig('session.*')instead. - No heavy logic in Middleware: Delegate complex logic to Services.
- No sensitive data in cookies: Store securely in server sessions only.