🔧 Reduce discoverability of session cookie name.

[coderabbi]

Derives session.cookie from SESSION_COOKIE, falling back to (snake_cased) APP_NAME . '_session', falling back to 'laravel_session' (current) in order to make it less discoverable, thereby (slightly) reducing threat vector.

[taylorotwell]

Could any characters be added to the app name which would in turn make this cookie name invalid (spaces, special characters, etc.?)

[coderabbi]

In practice, no.

https://stackoverflow.com/questions/1969232/allowed-characters-in-cookies

Though perhaps it would be "good citizenship" to limit to those in RFC 6265 (http://www.ietf.org/rfc/rfc6265.txt), i.e. all alphanumeric plus !#$%&'*+-.^_`|~ are fair game.

I can strip all but those out, if you'd like, or not, as either approach is technically valid.

[GrahamCampbell]

Don't we have a slug function that does that?

[coderabbi]

Str::slug() is a bit more stringent that even RFC 6265 requires, but that would certainly work, yes (albeit with the interesting side effect that @ gets converted to 'at').

[coderabbi]

Updated it to use str_slug, so is compliant with RFC 6265.

[taylorotwell]

Seems OK, Thanks.