dentro / paranoia
HTTP Session Security for Laravel
Requires
- php: ^8.3.0
Requires (Dev)
- fakerphp/faker: ^1.23
- laravel/pint: ^1.17.3
- orchestra/testbench: ^9.5
- pestphp/pest: ^3.0.7
- pestphp/pest-plugin-type-coverage: ^3.0
- phpstan/phpstan: ^1.12.4
- rector/rector: ^1.2.5
- symfony/var-dumper: ^7.1.4
README
Paranoia
HTTP Session Security for Laravel
Caution
Paranoia only support session with database
driver. We planned to support more drivers if there's any demand for
that. Please make new issue to request which driver you want to support.
Important
In session hijacking (TCP hijacking), attackers steal a web user's active session by acquiring their unique session ID. This lets them impersonate the user, accessing data or performing actions as if they were the legitimate user.
A minimal effort to prevent session hijacking is 'to not being hijacked' by using secure transport protocol such as https. This package provide extra-layer for Session's security by detecting suspicious changes (user-agent, location, ip) on user's session.
Requires PHP 8.3+
Geo Restriction Detection
Preventing unauthorized access based on Geo IP. Our Geo IP check is leveraging ipinfo.io. Geo Restriction is suitable for an application that following a strict security rules related to limited-country access policy such as in government, financial institution, internal software, and such.
# Register this Middleware \Dentro\Paranoia\Middlewares\GeoRestrictionMiddleware::class # Event dispatched by this detection \Dentro\Paranoia\Events\GeoRestrictionDetected::class
Check OWASP AppSensor at RP1: Suspicious or Disallowed User Source Location for more information.
IP Changes During Session Detection
Allowing detection on IP changes during a session. It can be used to preventing unauthorized access by detecting changes on new IP. Please be aware that changing WiFi or Mobile Data can be detected as a new IP. Use this with full-awareness.
# Register this Middleware \Dentro\Paranoia\Middlewares\IPChangeRestrictionMiddleware::class # Event dispatched by this detection \Dentro\Paranoia\Events\IPChangeDuringSessionViolationDetected::class
User-Agent Changes During Session Detection
Allowing detection on user agent changes during a session. This middleware is the same as Location Changes Detection, but it checks suspicious changes on User-Agent. Can preventing user's session to move between multiple user-agent.
# Register this Middleware \Dentro\Paranoia\Middlewares\UserAgentChangeRestrictionMiddleware::class # Event dispatched by this detection \Dentro\Paranoia\Events\UserAgentChangeDuringSessionViolationDetected::class
This feature minimize the escalation risk of Session Hijacking Attack.
Check OWASP AppSensor at SE6: Change of User Agent Mid Session for more information.
Utilities
Caution
We planned to split this security utilities into separate package.
X-Form Header Encoding as Form
This utility prevents plain-text body submission.
# Register this Middleware \Dentro\Paranoia\Middlewares\FormViaHeaderMiddleware::class
The middleware use X-Form
header, decode X-Form
as array, and convert the array as request's inputs.
Configuration
IPINFO_TOKEN=your_ipinfo_token
Roadmap
Our roadmap for more security features:
- Support more session drivers
- Remove dependency to ipinfo.io