Invalidating Laravel log-in sessions on password change

For security reasons it’s fairly good practice to invalidate all log-in sessions when a users password is changed. This is especially useful when a users account has been compromised and they go to change or reset their password. Without log-in session invalidation the attacker will still be logged in and able to cause chaos.

Setting a secure remember me cookie in Laravel

As of Laravel 5.0 it’s still not possible to set the remember me cookie with a secure flag. This is slightly weird as there is a configuration option for secure session cookies. Fortunately modifying Laravel to set a secure log-in cookie is not too difficult – all we need to do is provide a custom Guard class for the Auth driver which overrides the setRecaller() method.

Debugging Nginx Errors

Dealing with errors in nginx can be a frustrating experience if nginx isn’t configured correctly. Sadly, the default value for error log is less than optimal, and some of the…

Securing Nginx + PHP When Using Path Info

Remember register globals? Remember how you had to code as if it was off, because it might be? Remember how you had to consider the security implications of it being…

The Fun that is UTF-8 Support in PHP

Lately I’ve been working with a friend on a daily-deal aggregator. The Groupon-like sites are popping up everywhere and the market for aggregators is still fairly unfilled. My project, Alladeals, target the Swedish daily deals market and as such it needs to support Swedish characters. In future it might have to support other languages as well so I decided that UTF8 was the way to go. Since most webpages are encoded in UTF-8 these days it has been fairly painless to actually work with UTF-8 in PHP, that is, until yesterday.

Implementing Full-Page caching with Nginx and PHP

This is part two in my caching series. Part one covered the concept behind the full page caching as well as potential problems to keep in mind. This part will focus on implementing the concept in actual PHP code. By the end of this you’ll have a working implementation that can cache full pages and invalidate them intelligently when an update happens.