Laravel Sessions & Middleware

Priority: P1 (HIGH)

app/Http/
├── Middleware/         # Custom logic layers
└── Kernel.php          # Global/Group registration

Session Driver: Use redis or memcached for production/high-density environments.
Middleware Chain: Keep logic granular; one middleware per responsibility.
Global Middleware: Apply via bootstrap/app.php only for true globals (logging, headers).
Security Headers: Standardize headers (HSTS, CSP, X-Frame) via dedicated middleware.
CSRF Protection: Ensure VerifyCsrfToken is active for all web routes.
Session Lifecycle: Use $request->session()->regenerate() after login/privilege changes.

File Streams: No file session driver: Avoid in scaled apps due to I/O locks.
Env direct: No env('SESSION_...'): Always use config('session...').
Heavy Bloat: No heavy logic in Middleware: Offload to Services if >10 lines.
Trusting Client: No sensitive data in Cookies: Store in server sessions only.