From 75cef503c6edc3447dd79053a648ea981857e15b Mon Sep 17 00:00:00 2001 From: Taylor Otwell Date: Mon, 16 Feb 2026 17:15:44 -0600 Subject: [PATCH] use json session serialization for new applications --- config/session.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/config/session.php b/config/session.php index 5b541b75..f5744827 100644 --- a/config/session.php +++ b/config/session.php @@ -214,4 +214,20 @@ return [ 'partitioned' => env('SESSION_PARTITIONED_COOKIE', false), + /* + |-------------------------------------------------------------------------- + | Session Serialization + |-------------------------------------------------------------------------- + | + | This value controls the serialization strategy for session data, which + | is JSON by default. Setting this to "php" allows the storage of PHP + | objects in the session but can make an application vulnerable to + | "gadget chain" serialization attacks if the APP_KEY is leaked. + | + | Supported: "json", "php" + | + */ + + 'serialization' => 'json', + ];