For some strange reason Laravel collects IP addresses and user agents in the Session Database Table driver.
Almost all session drivers, except from the database driver don’t seem to collect IP addresses.
The Simple Way
To prevent this mostly, the easiest (almost non-code) way is to change the column types of the ip address and user agent in the migration of the sessions database table to boolean instead of varchar.
Schema::create('sessions', function (Blueprint $table) {
$table->string('id')->primary();
$table->foreignId('user_id')->nullable()->index();
$table->boolean('ip_address')->nullable();
$table->boolean('user_agent')->nullable();
$table->text('payload');
$table->integer('last_activity')->index();
});
In this example, the ip address and user agent are reduced to tiny integers, leaving only the first octet.
Since the sessions are only searched on id and not on ip address or user agent this seems safe. But always verify this yourself. If the Laravel code were to ever update to search on user agent and ip address, random sessions can be selected, which might become a vulnerability.
It also could happen that ip + user agent data still will be logged in MySQL logs or other logs. So the code way below could be more robust.
There are other ways by overwriting / extending the session driver:
- Overwriting a cache driver
- Laracasts question about a Session Database Table without IP
- The Laravel guide to overwrite session drivers
The Code Way
That led to the code way. I think this is the most elegant way. You can also create a custom Database Session driver:
app/Providers/AppServiceProvider.php
<?php
namespace App\Providers;
use Illuminate\Pagination\Paginator;
use Illuminate\Support\ServiceProvider;
// Session part
use App\Extensions\SimpleDatabaseSessionHandler;
use Illuminate\Contracts\Foundation\Application;
use Illuminate\Support\Facades\Session;
use Illuminate\Database\ConnectionInterface;
class AppServiceProvider extends ServiceProvider
{
/**
* Register any application services.
*/
public function register(): void
{
//
}
/**
* Bootstrap any application services.
*/
public function boot(ConnectionInterface $connection): void
{
Session::extend('database-simple', function (Application $app) use ($connection) {
$table = \Config::get('session.table');
$minutes = \Config::get('session.lifetime');
return new SimpleDatabaseSessionHandler($connection, $table, $minutes);
});
}
}
Then add the file app\Extensions\SimpleDatabaseSessionHandler.php . This overwrites the extra ip address and user agent info being added.
<?php
namespace App\Extensions;
use Illuminate\Session\DatabaseSessionHandler;
class SimpleDatabaseSessionHandler extends DatabaseSessionHandler
{
/**
* Add the request information to the session payload.
*
* @param array $payload
* @return $this
*/
protected function addRequestInformation(&$payload)
{
return $this;
}
}
And finally change your session driver in config/session.php to:
'driver' => 'database-simple',
You don’t need to change the database migration in this way.
Use at your own risk of course, test it well and if you spot any bugs, please let us know :).