home / skills / hoangnguyen0403 / agent-skills-standard / sessions-middleware

sessions-middleware skill

safe

This skill enforces Laravel sessions and middleware best practices, promoting secure, scalable request handling with standardized headers and robust CSRF

npx playbooks add skill hoangnguyen0403/agent-skills-standard --skill sessions-middleware

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

1.5 KB

---
name: Laravel Sessions & Middleware
description: Expert standards for session drivers, security headers, and middleware logic.
metadata:
  labels: [laravel, session, middleware, security, high-density]
  triggers:
    files: ['app/Http/Middleware/**/*.php', 'config/session.php']
    keywords: [session, driver, handle, headers, csrf]
---

# Laravel Sessions & Middleware

## **Priority: P1 (HIGH)**

## Structure

```text
app/Http/
├── Middleware/         # Custom logic layers
└── Kernel.php          # Global/Group registration
```

## Implementation Guidelines

- **Session Driver**: Use `redis` or `memcached` for production/high-density environments.
- **Middleware Chain**: Keep logic granular; one middleware per responsibility.
- **Global Middleware**: Apply via `bootstrap/app.php` only for true globals (logging, headers).
- **Security Headers**: Standardize headers (HSTS, CSP, X-Frame) via dedicated middleware.
- **CSRF Protection**: Ensure `VerifyCsrfToken` is active for all web routes.
- **Session Lifecycle**: Use `$request->session()->regenerate()` after login/privilege changes.

## Anti-Patterns

- **File Streams**: **No file session driver**: Avoid in scaled apps due to I/O locks.
- **Env direct**: **No env('SESSION\_...')**: Always use `config('session...')`.
- **Heavy Bloat**: **No heavy logic in Middleware**: Offload to Services if >10 lines.
- **Trusting Client**: **No sensitive data in Cookies**: Store in server sessions only.

## References

- [Advanced Middleware Patterns](references/implementation.md)

Overview

This skill defines expert standards for Laravel sessions and middleware, focusing on secure, scalable defaults for production apps. It prescribes session drivers, middleware structure, and concrete security header policies to reduce common risks. The guidance is practical and aimed at maintainable middleware chains and session lifecycle handling.

How this skill works

The skill inspects and enforces patterns around session driver selection, middleware responsibilities, and global registration. It recommends dedicated middleware for security headers and lightweight middleware functions that delegate complex logic to services. It also enforces session lifecycle actions like regenerating sessions after authentication events and ensures CSRF protection is active for web routes.

When to use it

Building or hardening Laravel apps for production and high-concurrency environments.
Auditing middleware for single-responsibility and performance issues.
Setting up security headers consistently across all responses.
Configuring session persistence for distributed deployments (Redis/Memcached).
During code review to catch anti-patterns like file sessions or heavy middleware logic.

Best practices

Use redis or memcached session drivers in production; avoid file driver for scaled apps.
Keep middleware granular: one responsibility per middleware and delegate complex logic to services.
Register true globals only at bootstrap stage; use Kernel.php for route-group middleware.
Standardize security headers (HSTS, CSP, X-Frame-Options) via dedicated middleware.
Always use config('session...') instead of env('SESSION_...') to read runtime configuration.
Call $request->session()->regenerate() after login, privilege changes, or session fixation risk events.

Example use cases

Migrating a monolithic app to distributed workers and switching session storage to Redis.
Implementing CSP and HSTS consistently by adding a small HeaderMiddleware across web routes.
Refactoring a fat middleware that contains business logic into a thin middleware + service layer.
Configuring session regeneration after OAuth login to prevent session fixation exploits.
Code review checklist item to flag any use of file sessions, direct env() reads, or sensitive cookie storage.

FAQ

Why avoid the file session driver?

File sessions cause I/O locks and poor concurrency, making them unsuitable for scaled or high-density environments.

When should I use global middleware vs route middleware?

Use global middleware only for truly global concerns like logging or headers; use Kernel.php and route groups for per-route or per-group behaviors.

Is it okay to store user preferences in cookies?

Avoid sensitive data in cookies. Non-sensitive preferences may be stored, but prefer server-side sessions for anything private or security-related.