dentro/paranoia

HTTP Session Security for Laravel

v0.2.0 2024-10-10 10:34 UTC

This package is auto-updated.

Last update: 2024-12-16 08:26:45 UTC


README

Paranoia

HTTP Session Security for Laravel

GitHub Workflow Status (main) Latest Stable Version Total Downloads

Caution

Paranoia only support session with database driver. We planned to support more drivers if there's any demand for that. Please make new issue to request which driver you want to support.

Important

In session hijacking (TCP hijacking), attackers steal a web user's active session by acquiring their unique session ID. This lets them impersonate the user, accessing data or performing actions as if they were the legitimate user.

A minimal effort to prevent session hijacking is 'to not being hijacked' by using secure transport protocol such as https. This package provide extra-layer for Session's security by detecting suspicious changes (user-agent, location, ip) on user's session.

Requires PHP 8.3+

Geo Restriction Detection

Preventing unauthorized access based on Geo IP. Our Geo IP check is leveraging ipinfo.io. Geo Restriction is suitable for an application that following a strict security rules related to limited-country access policy such as in government, financial institution, internal software, and such.

# Register this Middleware
\Dentro\Paranoia\Middlewares\GeoRestrictionMiddleware::class

# Event dispatched by this detection
\Dentro\Paranoia\Events\GeoRestrictionDetected::class

Check OWASP AppSensor at RP1: Suspicious or Disallowed User Source Location for more information.

IP Changes During Session Detection

Allowing detection on IP changes during a session. It can be used to preventing unauthorized access by detecting changes on new IP. Please be aware that changing WiFi or Mobile Data can be detected as a new IP. Use this with full-awareness.

# Register this Middleware
\Dentro\Paranoia\Middlewares\IPChangeRestrictionMiddleware::class

# Event dispatched by this detection
\Dentro\Paranoia\Events\IPChangeDuringSessionViolationDetected::class

User-Agent Changes During Session Detection

Allowing detection on user agent changes during a session. This middleware is the same as Location Changes Detection, but it checks suspicious changes on User-Agent. Can preventing user's session to move between multiple user-agent.

# Register this Middleware
\Dentro\Paranoia\Middlewares\UserAgentChangeRestrictionMiddleware::class

# Event dispatched by this detection
\Dentro\Paranoia\Events\UserAgentChangeDuringSessionViolationDetected::class

This feature minimize the escalation risk of Session Hijacking Attack.

Check OWASP AppSensor at SE6: Change of User Agent Mid Session for more information.

Utilities

Caution

We planned to split this security utilities into separate package.

X-Form Header Encoding as Form

This utility prevents plain-text body submission.

# Register this Middleware
\Dentro\Paranoia\Middlewares\FormViaHeaderMiddleware::class

The middleware use X-Form header, decode X-Form as array, and convert the array as request's inputs.

Configuration

IPINFO_TOKEN=your_ipinfo_token

Roadmap

Our roadmap for more security features:

  • Support more session drivers
  • Remove dependency to ipinfo.io