Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Laravel session id changes with each request

Tags:

ajax

php

cookies

laravel

laravel-5

I have a Laravel 5.0 site where the frontend JS makes a lot of ajax calls to the backend Laravel code. I've noticed that on each ajax request I'm getting a new "laravel_session" cookie value in the response everytime. I'm guessing that this is some security mechanism to protect against session hijacking.

However I think this is causing an issue with my site, as my ajax calls often happen in parallel, not sequentially. I don't wait for the response before firing the next call.

Consider this scenario

. Ajax call 1 - request - laravel_session cookie = '1234'

. Ajax call 1 - response - laravel_session cookie = '2345'

. Ajax call 2 - request- laravel_session cookie = '2345'

. Ajax call 3 - request- laravel_session cookie = '2345'

. Ajax call 2 - response - laravel_session cookie = '3456'

. Ajax call 3 - response - session not longer valid

Is there any way around this?

I should also note that sessions are set to expire in the config/session.php as 'lifetime' => 120,

enter image description here

config/session.php

like image 687
MakkyNZ Avatar asked Oct 14 '15 16:10

MakkyNZ

People also ask

Is Laravel session unique?

Of course each user session is unique to that logged in user.

How does PHP generate session ID?

session_create_id() is used to create new session id for the current session. It returns collision free session id. If session is not active, collision check is omitted. Session ID is created according to php.

How does Laravel session work?

Sessions are used to store information about the user across the requests. Laravel provides various drivers like file, cookie, apc, array, Memcached, Redis, and database to handle session data. By default, file driver is used because it is lightweight. Session can be configured in the file stored at config/session.

2 Answers

You are right it is a security mechanism. To disable it for testing, in Kernel.php comment out this line:

\App\Http\Middleware\EncryptCookies::class

Then you will see the session ID in your cookie viewer and it doesn't change.

You can Google for HTTP encrypted cookies to learn about the practice. There is an ongoing debate if this old practice is necessary now that we use HTTPS on every website.

like image 148
malhal Avatar answered Oct 24 '22 11:10

malhal

Your domain is invalid. You need to look at config.session.domain and config.session.path.

like image 31
Lance Pioch Avatar answered Oct 24 '22 12:10

Lance Pioch
Sign in to Comment

Related questions

Difference between executing PHP code from the commandline and from the HTTP side
How to replace text URLs and exclude URLs in HTML tags?
func_get_args vs explicit arguments
Using static class variables -- in a heredoc
Completely locked out of MySQL!
What is the best way to generate a login token? Is this method of authentication vulnerable to attack?
Is there a good php git client with http support? [closed]
Serving Drupal 7 with built-in PHP 5.4 server
Secure method for storing/retrieving a PGP private key and passphrase?
Algorithm to morph one shape into another.
How to speed up file_get_contents?
In php, require in required file? [duplicate]
Recursively search all directories for an array of strings in php
Laravel redirect to route from controller when called by AJAX
How to use a PHP library with namespacing without Composer as dependency (PSR-0)?
Inline PHP clone
file_get_contents(): php_network_getaddresses: getaddrinfo failed
Variable variables in PHP - What is their purpose? [duplicate]
Sending email with signature using Gmail API
How to install phpseclib?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!