Session Specific Attacks
Through the use of sessions your identity is maintained as you use a website, and just as in real life identity theft is a concern. By taking over your session an attacker would essentially become you on a website, with access to all of the actions, information and privileges that entails.
The main thing that an attacker needs to steal a session is the session ID. There are three ways an attacker normally goings about doing this, all of which can be protected against but are, by default, completely open.
- Guess the ID: most session handlers generate ids that make this impractical.
- Set the ID: rather than steal or guess the ID an attacker may try and set it to a value they choose.
PHP Session blocking i peticions concurrents (AJAX)
Laravel suport múltiples implementacions amb múltiples drivers:
- file - sessions are stored in storage/framework/sessions. DEFAULT
- cookie - sessions are stored in secure, encrypted cookies.
- database - sessions are stored in a database used by your application.
- memcached / redis - sessions are stored in one of these fast, cache based stores.