Introduction to Laravel – Part 2 of 3

Laravel. What can it do inside the box?

Out of the box Laravel already has a huge range of basic functionality:

  • Session and Token Based Authentication
  • Eloquent ORM
  • CSRF Protection
  • Customisable Middleware
  • Events System
  • Queues
  • File Storage
  • Caching
  • Sessions

Session and Token Based Authentication

This is a method of authenticating users by generating a token or session and storing it on the server and client side, this token is then sent with every request and comparing it to the value stored on the server side, it they match the user is authenticated, it not a 403 Forbidden error is usually returned to the user. Laravel does this out of the box using its Auth facade.

Eloquent ORM

ORM stands for Object-relational mapping, it is the process of converting data between incompatible type systems using object oriented languages, it builds a virtual object database in the desired format. In Laravel’s case it can be used in some very advanced ways to execute SQL queries on any data. In Laravel a model can be defined and a table created using the plural of the model, for example a model User may be created in the Laravel app, the table users would then be tied to the model. the model and its query builder method can then be used to access and change the data stored in the users table. This is a very simple example of what Eloquent ORM can be used for. More information here.

CSRF Protection

CSRF or Cross Site Request Forgery is a major security exploit that can be used to harm your website or web app, basically it is a method of sending a request to a website under the guise that the user has been authenticated. For example lets say that you were logged into your online banking, while logged in the online banking system would allow your browser to transfer money between accounts, this would be done via a request to the server to send an amount from on account to another. if an attacker were to discover that you were logged in and they know the request that had to be made to transfer money they could hijack your browser and make it send a request to transfer money and the banking system would nto be able to detect that it was an attack not you that sent the request, CSRF Protection is a way of preventing this from happening.

CSRF Protection works by storing a token with an expiry time on the server and sending the same token to your browser. on each request this token should change and it should be completely random. With every request made the browser should also send the CSRF token it has stored, the server will then check this CSRF token against the one it has stored and the timestamp it will expire at, if these 2 test pass then the request is allowed to continue, if not then it is blocked. this prevents any attackers from making request to your sensitive accounts.

Customisable Middleware

Middleware usually consists of a stack of functions that are called before a controller method is ever called. if any of these functions evaluate to false then the request is returned with an error rather than being sent to the controller method, middleware in Laravel consists of features like an Authentication system, CSRF Protection. Middleware can be added or removed from the middleware stack easily with different routes being able to have different middleware stacks or groups together to use the same middleware stack.

Events System

Laravel also ships with its own Events system, PHP does not support events like in JavaScript so this can be incredibly useful when building larger or more modular web apps. this system can also be coupled with Laravel’s Queues to build systems that will, for example, send an email 10 seconds after the request has been made without impacting the speed of the web app from the users perspective.

This events system is very useful when building extendable web apps, because events can have multiple listeners you can decouple each bit of logic from each-other, for example you might want an event to fire and email and add something to a log file, as these are 2 different actions with different purposes they should really separated, this can be done using the event system.

A good example of using the events system in Laravel can be found here

Queues

Queues are built into Laravel to help process long jobs, these are jobs that if done during the request cycle they would impact the load speed of the web app and provide a non ideal experience for the end user. they work in a similar way to the queue data structure, each job is taken from the queue, processed and then discarded if successful, they are very useful for send email as sending an email during the request cycle can dramatically increase load times for the user, this method of sending mail would allow the user to simply add a job to the queue to be processed later rather than processing it there and then.

File Storage

Laravel’s file system allows you to define different disks, these disks can all be on the same hard drive or in the cloud or on separate hard disks, it does not matter to Laravel when it is using them. This means that files can be very easily manipulated and stored in any location.

The built in system comes with SFTP, Amazon S3 and Rackspace Integration built in and is easily extendable to other storage solutions.

Caching

Laravel comes with a few different Caching options: File, Memcached or Redis. Due to Laravel’s driver system, it is very easy to swap between drivers if your requirements change, for example if you were using a file based cache and the load on your system increase or your datasets got very large you could easily swap to Redis by simply changing the driver being used. The documentation for Caching is located here.

Sessions

Sessions are a method of remembering data on the server from one request to the next, they are often executed using a session id in the form of a cookie to recognise which session should be used with this request. They have a multitude of uses, from remembering what is in a cart in an ecommerce solution to simply tracking the users movements through the site. Laravel automatically generates and tracks sessions via the Session Facade. These sessions can be used to store any data that might be required later in the user flow and because of this they need to be secure, Laravel secures it sessions via the CSRF token mentioned above, only someone with that token can access the session and the token is changed after every request.