Hello y'all,

after some inactivity here, I've decided to post my session protection solution. I guess it's not the best one, but I would say it's really secure one. Also, this is inspired by the last events that happened to LinusTechTips tbh. Unsure why Google doesn't to something like this already lol

What will this code do is, it will save client IP address on login and on every kernel.request event, take it from session and from current request. If there is a mismatch, session will get destroyed immediately. This should in theory prevent any info-stealers from yoinking sessions from your clients.

This works on events that are built-in to Symfony, meaning there is little effort to implement this solution to your existing project and it's an effective one I would say..

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;

class SessionSecurityListener implements EventSubscriberInterface
{
    public function onKernelRequest(RequestEvent $requestEvent): RequestEvent
    {
        $request = $requestEvent->getRequest();
        $ipSession = $request->getSession()->get("security.login_ip");
        if($ipSession !== null){
            $ipRequest = $request->getClientIp();
            if(strcmp($ipSession, $ipRequest) !== 0){
                $request->getSession()->invalidate();
                $requestEvent->setResponse(new RedirectResponse('/'));
            }
        }
        return $requestEvent;
    }

    public static function getSubscribedEvents(): array
    {
        return [KernelEvents::REQUEST => 'onKernelRequest'];
    }
}

This was your event. But now, you will need to set the IP somewhere. I suggest to you to save it on successful user login. So, something like this.

    #[Route(path: '/login', name: 'security-login')]
    public function login(): Response
    {
        //your flow..
        $request->getSession()->set("security.login_ip", $request->getClientIp());
        
        return $this->render(..); //last render in the function
    }

I hope this will help you to protect your apps

Good luck with your development.

I identify myself as a battle helicopter so generalizing to "his profile" is disrespectful (just a joke bro, ok?)

congrats

Good luck with sales!

Thank you 

Hi.
I'm offering a coding service. IRL working as a software developer in multi-national corporate.
Languages: PHP, Java, Web services (HTML, CSS, JS)

Price? Depends on your project. If you only need a simple HTML, it will be just a few EUR, depending on the time spent. If you want a big project, we can talk about the price.

How is my development cycle and what will you receive? Development is made using IntelliJ IDEA Ultimate. Progress can be tracked on JetBrains Space (Issue tracking, git, chat).

What do you need? First of all, you have to have a vision and know what you want. I'm not here to think and create your project. You have to present me your project, what it should be about and if you have a UI connected to it, we will do some designs (Wireframes, colors etc..). Only after this, your project can be built.

I'm not doing cracking stuff. I might be able to create it and tried it in the past but not with Proxy support, and that's kinda bad.

Do you have your vision? Let's convert it into reality