Hello y'all,
after some inactivity here, I've decided to post my session protection solution. I guess it's not the best one, but I would say it's really secure one. Also, this is inspired by the last events that happened to LinusTechTips tbh. Unsure why Google doesn't to something like this already lol
What will this code do is, it will save client IP address on login and on every kernel.request event, take it from session and from current request. If there is a mismatch, session will get destroyed immediately. This should in theory prevent any info-stealers from yoinking sessions from your clients.
This works on events that are built-in to Symfony, meaning there is little effort to implement this solution to your existing project and it's an effective one I would say..
use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpKernel\Event\RequestEvent; use Symfony\Component\HttpKernel\KernelEvents; class SessionSecurityListener implements EventSubscriberInterface { public function onKernelRequest(RequestEvent $requestEvent): RequestEvent { $request = $requestEvent->getRequest(); $ipSession = $request->getSession()->get("security.login_ip"); if($ipSession !== null){ $ipRequest = $request->getClientIp(); if(strcmp($ipSession, $ipRequest) !== 0){ $request->getSession()->invalidate(); $requestEvent->setResponse(new RedirectResponse('/')); } } return $requestEvent; } public static function getSubscribedEvents(): array { return [KernelEvents::REQUEST => 'onKernelRequest']; } }
This was your event. But now, you will need to set the IP somewhere. I suggest to you to save it on successful user login. So, something like this.
#[Route(path: '/login', name: 'security-login')] public function login(): Response { //your flow.. $request->getSession()->set("security.login_ip", $request->getClientIp()); return $this->render(..); //last render in the function }
I hope this will help you to protect your apps
Good luck with your development.