Category "Session" tricks

Simple ACL laravel 5.2 Providers->AuthServiceProvider Register any application authentication / authorization services.

Encryption

Testing an action with a session.

Session time out for logged in user (middleware way) for prevent dashboard or ... access after specify time. if we use this middleware in route groups, it will be run on every request under route group. with this code we do not need to change php.ini file or laravel session config file and default settings are appropriate. Do not forget to register middleware in app\Http\Kernel : 'timeout' => 'App\Http\Middleware\SessionTimeout', Other notices: 1- we can use middleware paramaters in laravel 5.1 for custom conditions. 2- we must redirect user back (after session timeout and log out ), to prevent user navigate to come back. 3- we must show a message to user (after session timeout and log out), that you logged out after [20] minutes that you were not active. Our Persian web app for time management is: https://timenix.com If you have a better idea please comment it. ♥

Hello what if your application when it is logout then you intentionally hit the back button on your web browser, what happened? your application will be returned to the original page, which should be redirected to the login page. Here I share a simple trick, put on a filters.php

You may need this basically for security reasons. When somebody installed this plugin (https://wappalyzer.com/download) on the browser, s/he can see all the frameworks and javascript libraries among other things. Wappalyzer uses json to specify what it should be looking for. Check this GitHub Repo to understand how it identifies Laravel (https://github.com/ElbertF/Wappalyzer/blob/master/share/apps.json). So, to hide Laravel from this plugin, you need to edit the Session Cookie Name in /app/config/session.php. Change it from laravel_session to your desire name e.g: yourapp_session. Hope this helps.

I use this to always know in my controllers if the current action is shown through a Facebook tab iframe. Upon the first request this checks if there is a "signed_request" variable posted to the page. Then $fb_state is set to true and shared with all views. The problem is that on navigating to the next page within your app this variable is lost and you don't know if this is shown through facebook. Due to the FB page proxy you can't use sessions to remember this for the next request either. I solve this problem with adding "signed_request" as a parameter (i.e. "&signed_request=123ljshgljsdhflsdhfl") to every link and form when $fb_state == true. Of course you could also pass any other variable if you don't need the actual signed_request data.

When showing a website through a Facebook Page tab validation errors are not displayed, because Facebook "forgets" the sessions due to the page proxy. One problem with this is that session data is destroyed / forgotten on each request going through that proxy. This applies to Redirect::back()->withErrors($validator) for showing the form with validation errors because sessions are used . To avoid this simply fiddle the error data together and pass it directly to the respective action that handles the input form. One thing to mention is that calling other controller actions directly of course does not affect the route. Let's say editing happens at "/edit" and the "registration complete" message is shown at "/complete". Calling the action within the controller the form with errors is now shown at "/complete" whereas "/edit" would be shown if you redirected back (Line 22). I personally don't really care too much about this since the "real" web address is not shown in the FB page tab anyway due to the page proxy. Looking forward to hearing your opinions on this. Maybe there is even a better way.

Starting from 4.1.28, Application::boot() does not initialize sensitive session data anymore. That is, it is accessible, but encrypted. So if you're integrating 3rd party library, which needs external authentification check through sessions, simple checking Auth::check() will not work. However, we can still use old $_SESSION variable. Examples of 3rd party libraries: CkFinder, elFinder (has Laravel package though), MoxieManager. N.B. If you can use Ajax calls for authorization checks, you can still make a custom API with JSON request to user-logged (as an example) to see if user is authentificated.