PHPackages dentro/paranoia - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. dentro/paranoia ActiveLibrary[Security](/categories/security) dentro/paranoia =============== HTTP Session Security for Laravel v0.2.0(1y ago)041↓100%MITPHPPHP ^8.3.0 Since Oct 7Pushed 1y ago4 watchersCompare [ Source](https://github.com/digital-entropy/paranoia)[ Packagist](https://packagist.org/packages/dentro/paranoia)[ RSS](/packages/dentro-paranoia/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (8)Versions (7)Used By (0) Paranoia ======== [](#paranoia) HTTP Session Security for Laravel [ ![GitHub Workflow Status (main)](https://github.com/digital-entropy/paranoia/actions/workflows/tests.yml/badge.svg) ](https://github.com/digital-entropy/paranoia/actions) [ ![Latest Stable Version](https://camo.githubusercontent.com/12feb2b65c058c5ac8105ed70bdcce8e2a2a7ce7d01db9b4df36f90d8d5c5f87/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f64656e74726f2f706172616e6f6961) ](https://packagist.org/packages/dentro/paranoia) [ ![Total Downloads](https://camo.githubusercontent.com/7b1ab8609d2b73a0496e22b826ffb30af296f0e2ae182978b4b592fbae3f9569/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f64656e74726f2f706172616e6f6961) ](https://packagist.org/packages/dentro/paranoia) --- Caution Paranoia only support session with `database` driver. We planned to support more drivers if there's any demand for that. Please make new issue to request which driver you want to support. Important In session hijacking (TCP hijacking), attackers steal a web user's active session by acquiring their unique session ID. This lets them impersonate the user, accessing data or performing actions as if they were the legitimate user. A minimal effort to prevent session hijacking is 'to not being hijacked' by using secure transport protocol such as **https**. This package provide extra-layer for Session's security by detecting suspicious changes (user-agent, location, ip) on user's session. > **Requires [PHP 8.3+](https://php.net/releases/)** Geo Restriction Detection ------------------------- [](#geo-restriction-detection) Preventing unauthorized access based on Geo IP. Our Geo IP check is leveraging [ipinfo.io](https://ipinfo.io). Geo Restriction is suitable for an application that following a strict security rules related to **limited-country access** policy such as in government, financial institution, internal software, and such. ``` # Register this Middleware \Dentro\Paranoia\Middlewares\GeoRestrictionMiddleware::class # Event dispatched by this detection \Dentro\Paranoia\Events\GeoRestrictionDetected::class ``` Check [OWASP AppSensor](https://owasp.org/www-project-appsensor/) at **RP1: Suspicious or Disallowed User Source Location** for more information. IP Changes During Session Detection ----------------------------------- [](#ip-changes-during-session-detection) Allowing detection on IP changes during a session. It can be used to preventing unauthorized access by detecting changes on new IP. Please be aware that changing WiFi or Mobile Data can be detected as a new IP. Use this with full-awareness. ``` # Register this Middleware \Dentro\Paranoia\Middlewares\IPChangeRestrictionMiddleware::class # Event dispatched by this detection \Dentro\Paranoia\Events\IPChangeDuringSessionViolationDetected::class ``` User-Agent Changes During Session Detection ------------------------------------------- [](#user-agent-changes-during-session-detection) Allowing detection on user agent changes during a session. This middleware is the same as Location Changes Detection, but it checks suspicious changes on User-Agent. Can preventing user's session to move between multiple user-agent. ``` # Register this Middleware \Dentro\Paranoia\Middlewares\UserAgentChangeRestrictionMiddleware::class # Event dispatched by this detection \Dentro\Paranoia\Events\UserAgentChangeDuringSessionViolationDetected::class ``` This feature minimize the **escalation** risk of [Session Hijacking Attack](https://owasp.org/www-community/attacks/Session_hijacking_attack). Check [OWASP AppSensor](https://owasp.org/www-project-appsensor/) at **SE6: Change of User Agent Mid Session** for more information. Utilities --------- [](#utilities) Caution We planned to split this security utilities into separate package. ### X-Form Header Encoding as Form [](#x-form-header-encoding-as-form) This utility prevents plain-text body submission. ``` # Register this Middleware \Dentro\Paranoia\Middlewares\FormViaHeaderMiddleware::class ``` The middleware use `X-Form` header, decode `X-Form` as array, and convert the array as request's inputs. Configuration ------------- [](#configuration) ``` IPINFO_TOKEN=your_ipinfo_token ``` Roadmap ------- [](#roadmap) Our roadmap for more security features: - Support more session drivers - Remove dependency to ipinfo.io ### Health Score 28 — LowBetter than 54% of packages Maintenance37 Infrequent updates — may be unmaintained Popularity10 Limited adoption so far Community10 Small or concentrated contributor base Maturity48 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 6 Last Release 577d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/823b196af00eaff552c76f4fd7c636f9605c96326662ac1a8e90efc888316813?d=identicon)[muhajirinlpu](/maintainers/muhajirinlpu) ![](https://www.gravatar.com/avatar/7b9b8bc66ebb3e58073e2fc1eefc63cc206f3d2602702d2879fe07458cd16063?d=identicon)[addeeandra](/maintainers/addeeandra) --- Top Contributors [![addeeandra](https://avatars.githubusercontent.com/u/22489224?v=4)](https://github.com/addeeandra "addeeandra (35 commits)") --- Tags laravelsecuritysession-hijackingphplaravelsecuritysession-hijacking ### Code Quality TestsPest Static AnalysisPHPStan, Rector Code StyleLaravel Pint Type Coverage Yes ### Embed Badge ![Health badge](/badges/dentro-paranoia/health.svg) ``` [![Health](https://phpackages.com/badges/dentro-paranoia/health.svg)](https://phpackages.com/packages/dentro-paranoia) ``` ### Alternatives [asbiin/laravel-webauthn Laravel Webauthn support 309574.8k](/packages/asbiin-laravel-webauthn)[tzsk/otp A secure, database-free One-Time Password (OTP) generator and verifier for PHP and Laravel. 241641.4k1](/packages/tzsk-otp)[skydiver/laravel-route-blocker Block routes by IP 8272.4k](/packages/skydiver-laravel-route-blocker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)