-1

I am struggling against hackers now.

My project is in laravel. Not sure how but they are getting administrator session and do all things in the project now.

I researched in the INTERNET and they are saying it is Laravel session hijacking. Anyone who has experience in Laravel session hijacking protection?

Please help me.

Thank you

Implemented Fotify auth model. Implemented the second password system.

todayforfuture
  • 1
  • 1
  • Are you using https? If you have a SSL certificate (meaning you're using TLS), the channel between the browser and the server your application is hosted on should be secure. That said, if people are intercepting the connection with something like a man in the middle attack there's not much you can do (that I can think of) – IGP Apr 14 '23 at 03:24
  • use *token* / *cookies*, so data store in your session is *encrypted* – Newbee Apr 14 '23 at 03:28
  • Also, this could be a duplicate of https://stackoverflow.com/questions/12233406/preventing-session-hijacking – IGP Apr 14 '23 at 03:28
  • You could try to change the APP_KEY with `php artisan key:generate`. Perhaps it got compromised. Speaking of which, check if your website's `.env` is properly hidden. (navigate to `https://your-project-name-here/.env`. This should throw a 404. If it doesn't and shows your environment file, you have a big problem. – IGP Apr 14 '23 at 03:35
  • @IGP I don't use .env. I setted all variables into config files directly. maybe this would be a problem? – todayforfuture Apr 14 '23 at 03:47
  • @todayforfuture It is a security risk if you've commited those files to a git repository, yes. `config/app.php` has a `'key'` value. You should at least set it up to something secure. – IGP Apr 14 '23 at 03:50
  • You can get laravel to generate a value for you with `php artisan key:generate --show` – IGP Apr 14 '23 at 03:56
  • Additionally to the suggestions for the Laravel application, check your own computer and browser for malware or malicious browser extensions. The Linus Tech Tips YouTube channel was hacked with this method; the attackers stole the session token directly from the admin computer. – Kevin Apr 18 '23 at 13:43

1 Answers1

0

You need to use a .env file and make sure that it isn't hosted on a public github repository. Best practice would be to make sure that it's included in the .gitignore and you set it up locally and on the server.

Make sure the app key is regenerated. Also make sure that you are serving the project with an SSL cert (https access)

JohnRugen
  • 3
  • 2