fix(tracing): strip empty flash data and token from session

Naoray · claude · Naoray · commit 2017afc7be56 · 2026-02-08T13:30:55.000+01:00
Closes #35 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/Tracing/SessionCollector.php b/src/Tracing/SessionCollector.php
@@ -27,12 +27,23 @@ public function collect(): void
             return;
         }
 
-        Context::addHidden('session', [
-            'data' => $this->redactPayload(Session::all()),
-            'flash' => [
-                'old' => Session::get('_flash.old', []),
-                'new' => Session::get('_flash.new', []),
-            ],
-        ]);
+        $data = collect(Session::all())
+            ->except(['_token', '_flash'])
+            ->toArray();
+
+        $session = [
+            'data' => $this->redactPayload($data),
+        ];
+
+        $flash = [
+            'old' => Session::get('_flash.old', []),
+            'new' => Session::get('_flash.new', []),
+        ];
+
+        if (! empty($flash['old']) || ! empty($flash['new'])) {
+            $session['flash'] = $flash;
+        }
+
+        Context::addHidden('session', $session);
     }
 }
diff --git a/tests/Tracing/SessionCollectorTest.php b/tests/Tracing/SessionCollectorTest.php
@@ -32,3 +32,41 @@
 
     expect(Context::hasHidden('session'))->toBeFalse();
 });
+
+it('strips empty flash data from session', function () {
+    Session::start();
+    Session::put('key', 'value');
+
+    $this->collector->collect();
+
+    $session = Context::getHidden('session');
+
+    expect($session)->not->toHaveKey('flash');
+    expect($session['data'])->not->toHaveKey('_flash');
+});
+
+it('preserves non-empty flash data', function () {
+    Session::start();
+    Session::put('key', 'value');
+    Session::flash('message', 'Hello World');
+
+    $this->collector->collect();
+
+    $session = Context::getHidden('session');
+
+    expect($session)->toHaveKey('flash');
+    expect($session['flash']['new'])->toContain('message');
+});
+
+it('strips _token from session data', function () {
+    Session::start();
+    Session::put('key', 'value');
+    Session::put('_token', 'csrf-token-value');
+
+    $this->collector->collect();
+
+    $session = Context::getHidden('session');
+
+    expect($session['data'])->not->toHaveKey('_token');
+    expect($session['data']['key'])->toBe('value');
+});
