OpenSkillIndex← back to search
claude-code

Agent-skills-standard laravel-sessions-middleware

Configure Redis session drivers, register security-header middleware, and prevent session fixation in Laravel. Use when switching session drivers, adding HSTS/CSP headers via middleware, or regenerating sessions after login. (triggers: app/Http/Middleware/**/*.php, config/session.php, session, driver, handle, headers, csrf)

install
source · Clone the upstream repo
git clone https://github.com/HoangNguyen0403/agent-skills-standard
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/laravel/laravel-sessions-middleware" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-laravel-sessions-middleware && rm -rf "$T"
manifest: skills/laravel/laravel-sessions-middleware/SKILL.md
source content

Laravel Sessions & Middleware

Priority: P1 (HIGH)

Workflow: Secure Sessions & Add Middleware

  1. Set Redis driver
    SESSION_DRIVER=redis
    in 
    .env
    ; install 
    predis/predis
    .
  2. Regenerate on login — Call 
    $request->session()->regenerate()
    after authentication.
  3. Create security middleware — Add HSTS, CSP, X-Frame-Options headers.
  4. Register globally — Use 
    withMiddleware(fn($m) => $m->append(...))
    in 
    bootstrap/app.php
    .

Security Headers Middleware Example

See implementation examples for security headers middleware and directory structure.

Implementation Guidelines

Session Architecture

  • Drivers: Set 
    SESSION_DRIVER=redis
     in 
    .env
    for production/scaled environments.
  • Dependencies: Install 
    predis/predis
     and avoid file driver due to I/O lock issues at scale.
  • Security: Call 
    $request->session()->regenerate()
     after successful authentication to prevent session fixation. Call 
    $request->session()->invalidate()
     on logout.
  • Access: Never access 
    env('SESSION_DRIVER')
     directly in code; always use 
    config('session.driver')
    . Clear caches via 
    php artisan config:clear
    .

Middleware Pipeline

  • Custom Middleware: Use 
    php artisan make:middleware EnsureTokenIsValid
    . Implement 
    handle(Request $request, Closure $next): Response
    .
  • Registration: Register new middleware in 
    bootstrap/app.php
     using 
    withMiddleware()
    .
  • Security Headers: Standardize HSTS, CSP, X-Frame-Options, and X-Content-Type-Options in dedicated security middleware. Register as global middleware.
  • Priority: Use 
    withMiddleware(fn($m) => $m->append(MyMiddleware::class))
     or 
    prepend()
     for highest priority.
  • Performance: Avoid heavy computation in global middleware; delegate these to domain services.

Anti-Patterns

  • No file session driver in production: Use Redis or Memcached instead.
  • No 
    env()
    for session config    : Use 
    config('session.*')
    instead.
  • No heavy logic in Middleware: Delegate complex logic to Services.
  • No sensitive data in cookies: Store securely in server sessions only.

References