Are Laravel session variables secure?

Question

Is there any (known) way for end users to edit a Laravel session variable?

Answer 1

Is there any (known) way for end users to edit a Laravel 4 session variable?

Yes there is, but only if you go out of your way to make it possible. The steps required are:

1. Use the cookie driver for sessions (which stores all session data into a cookie rather than simply storing an identifier in the cookie and keeping the actual data server-side). I generally recommend against storing session state in a cookie.
2. Turn off session encryption, which the documentation strongly says not to do.

If you do these ill-advised steps, in addition to allowing users to overwrite session data, this is a risk for PHP object injection via unserialize().

Advice: If you are going to store session state in a cookie, make sure it's wrapped in authenticated encryption. Laravel's encryption library employs authenticated encryption (Encrypt then MAC), and the sessions use this by default.

---

As for the other drivers, that depends on your network topology. If your database is on another server and your attacker can impersonate the web server, they can put whatever they want in the database.

Last I checked, Laravel defaults to encrypt session data (unless you disable encryption). Unless your database is on the same host as the webserver, leave it turned on.

Answer 2

They would have to run code (something like Session::put('key', 'value');) on your server.. or take advantage of possible vulnerabilities on your application.

If you're using the Session carefully on your side (validation, etc.) it should remain the same unless you update it.

More on Laravel's Session here: http://laravel.com/docs/4.2/session