Basics Of Laravel Security

Laravel Security

Introduction

  • Security is most important part of the website. 
  • Laravel provides different mechanisms to secure website. 
  • Its give surety to the users of the website that their data is secured.

Configuration

  • Laravel implements authentication it's very simple.
  • The authentication configuration file in app/config/auth.php directory.
  • Laravel give default model as User model which is located in app/models.

Storing Passwords

  • Laravel service provides Hash class for secure Bcrypt hashing
  • make() function will take the value as an argument and will return the hashed value

Verifying A Password Against A Hash:

Checking If A Password Needs To Be Rehashed

Authenticating Users:

  • Another main security feature is authenticating the user and perform some action.
  • When log a user into your application, you may use the Auth::attempt method.

  • When the attempt method is called, the Auth::attempt event will be fired. If the authentication attempt is successful and the user is logged in, the Auth::login event will be fired as well.
  • The Auth::attempt method will take credentials as argument and will verify those credentials against the credentials stored in database and will return true if it is matched or false otherwise.

Determining If A User Is Authenticated

  • If the user is already logged into your application, you may use the Check method:

Authenticating A User With "Remembering"

  • If you like to provide “remember me” functionality into your application then you just pass true as the second argument in the Auth::attempt method :

Determining If User Authed Via Remember

If you are "remembering" user logins, you may use the viaRemember method to determine if the user was authenticated using the "remember me" for cookie:

Accessing The Logged In User

When user is authenticated , you may access the User model/ record:

When authenticated user retrieve user's ID, you may use the id method:

Validate User Credentials for Without Login

The validate method allows you to validate a user's credentials without logging into the application:

Logout Logged In User

Manually Logging Users
    
If you need manually logged in in the application, you may just call the login method:

This is equivalent to logging in a user via credentials using the attempt method.

Protecting Routes

Route filter allows for only authenticated users to access routes. Laravel provides auth

Filter by default:

CSRF Protection

Laravel provides method for protecting your application from cross-site request forgeries :
    
CSRF Token used Into Form

Validate The Submitted CSRF Token

Avoiding SQL Injection

  • SQL injection vulnerability exists when an application inserts unfiltered user input in the SQL query.
  • By default Laravel protect your query builder and Eloquent with use PHP Data Objects (PDO) class.
  • PDO allows you to safely pass any parameters.

Cookies

  • In Laravel, it very easy to create, read, and expire cookies with its Cookie class and cookies is automatically signed and encrypted.

Forcing HTTPS when exchanging sensitive data

  • HTTPS prevents attackers on the same network to intercept private information such as session variables, and log in as the victim.
     

Hope this helps you well, feel free to add your comments/feedbacks and need more assistance regarding laravel services or OctoberCMS development services, be in touch