Laravel: Eloquent (DB) continued,

Validation, Cookies and Sessions

Web, Mobile and Security
Frédéric Vlummens
Agenda

• Eloquent: recap
• Selecting all records
• Adding a record
• Eloquent use cases
• Selecting a specific record
• Updating a specific record
• Deleting a specific record
• Validation
• Cookies
• Sessions

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 2
Eloquent: recap
Eloquent: recap

• Eloquent = ORM (Object-Relational Mapper)

• Database tables have corresponding models, used to interact with tables
• We do not write SQL code ourselves, but let Eloquent generate it for us
• Convention over configuration:
• Table names are plural, corresponding Models singular
• Each table has a PK field called id of type INTEGER AUTO_INCREMENT
• One-to-many relationships are handled in the database by taking singular of table
and suffixing foreign key field with _id
• These are conventions: we do not need to explain Laravel the pluralization rules
or primary keys
• As long as we follow the rules, Eloquent knows what to do
25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 4
Eloquent: recap

Database table names are pluralized

Primary keys are auto increment integers called id
For 1 to many relationships, the foreign key name consists of the related table name in singular, suffixed by _id

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 5
Eloquent: recap

• Selecting all records

using all():

• Adding a specific record

using save():

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 6
Eloquent: additional use cases
Eloquent use cases

• Using the find() method, select a record based on its primary key

• Using the save() method, you can also update existing records:

• Using the delete() method, you can delete an existing record:

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 8
Validation
Validation

• Validate form input on server-side

• Do not depend on client-side validation only!
• Define rules per parameter
• Rules are combined using the | symbol
• When validation fails, user gets returned to originating view
• $errors variable can be used to display validation errors

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 10
Validation

Individual rules per parameter

See https://laravel.com/docs/master/validation

Keys must match name attributes of your form fields

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 11
Validation

validate() method returns

an associative array,
containing all validated
values

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 12
Validation

• In Blade file:

Only if there are errors…

…loop over them and print

them out

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 13
Cookies
HTTP = stateless protocol

• When submitting a form, all previous data is lost

• (Except if we store in database)
• Reason: HTTP is a stateless protocol
• Each request is independent from the subsequent one

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 15
HTTP = stateless protocol

• Somehow, we must make sure our webserver code “remembers” us

• Solutions have been developed:
• Cookies
• Sessions

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 16
Cookie

• Small text file

• Sent from website (server) and stored by browser (client)
• Upon each subsequent request, the cookie is sent back to the server
• This way, the server “recognizes” the client from previous requests
• Circumvent the statelessness of the HTTP protocol

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 17
Cookies in Laravel

• A cookie has a name, value and experiation time

• We put our cookie in the queue. It will be handled by Laravel and sent back to client
via response.

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 18
Cookies in Laravel

• Retrieving the cookie:

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 19
Cookies: inspecting request – response using Postman

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 20
Cookies: what about security?
Visualisation in browser:
• Information is stored locally
• Transmitted with each request
• What about confidential data?
• Some solutions:
• Encryption of cookie value
(=default behavior in Laravel)
• HTTPS

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 21
Cookies: overcoming statelessness

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 22
Cookies versus local storage

Cookies:
• Key-value pairs (strings)
• Used to obtain state in stateless HTTP world
• Transmitted with each Request – Response

Local storage:
• Key-value pairs (strings)
• Used for local data only
• If you want data in local storage available on server, you need to send it explicitly
( cookies)
25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 23
Sessions
Overcoming HTTP statelessness

• We now know how to store information in HTTP cookies

• Information is stored on client
• Transmitted to server with each request
• What if we want to store more data?
• Data not to be manipulated at the client side?
• Examples:
• Contents of shopping cart
• Restaurant bookings
• Solution: sessions

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 25
Sessions

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 26
Sessions

• Each session gets a unique (session) ID

• ID stored, usually in a cookie
• On server side, lots of info can be stored, associated with cookie (e.g. shopping cart)

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 27
Sessions in Laravel

• Store something in the session:

• You obtain a reference to the session via $request -> session() method
• Each item has a key (here “my-item”) and value (here contents of $item)

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 28
Retrieving something from the session

• Retrieving something from the session

• You obtain a reference to the session via $request -> session() method
• Retrieve item based on its key

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 29
Sessions in Laravel

• Keeping list of items (array) in the session

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 30
More information?

• https://laravel.com/docs/master/session

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 31
Questions?

25/03/2020 Web, Mobile and Security – Laravel: Eloquent (DB) continued, Validation, Cookies and Sessions 32