Strip empty flash data and token from session (#42)

Naoray · claude · web-flow · commit 3d2dca7047f9 · 2026-02-08T14:09:35.000+01:00
* fix(tracing): strip empty flash data and token from session Closes #35 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: use Arr::except instead of collection for session data filtering Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/Tracing/SessionCollector.php b/src/Tracing/SessionCollector.php
@@ -2,6 +2,7 @@
 
 namespace Naoray\LaravelGithubMonolog\Tracing;
 
+use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Context;
 use Illuminate\Support\Facades\Session;
 use Naoray\LaravelGithubMonolog\Tracing\Concerns\RedactsData;
@@ -27,12 +28,21 @@ public function collect(): void
             return;
         }
 
-        Context::addHidden('session', [
-            'data' => $this->redactPayload(Session::all()),
-            'flash' => [
-                'old' => Session::get('_flash.old', []),
-                'new' => Session::get('_flash.new', []),
-            ],
-        ]);
+        $data = Arr::except(Session::all(), ['_token', '_flash']);
+
+        $session = [
+            'data' => $this->redactPayload($data),
+        ];
+
+        $flash = [
+            'old' => Session::get('_flash.old', []),
+            'new' => Session::get('_flash.new', []),
+        ];
+
+        if (! empty($flash['old']) || ! empty($flash['new'])) {
+            $session['flash'] = $flash;
+        }
+
+        Context::addHidden('session', $session);
     }
 }
diff --git a/tests/Tracing/SessionCollectorTest.php b/tests/Tracing/SessionCollectorTest.php
@@ -32,3 +32,41 @@
 
     expect(Context::hasHidden('session'))->toBeFalse();
 });
+
+it('strips empty flash data from session', function () {
+    Session::start();
+    Session::put('key', 'value');
+
+    $this->collector->collect();
+
+    $session = Context::getHidden('session');
+
+    expect($session)->not->toHaveKey('flash');
+    expect($session['data'])->not->toHaveKey('_flash');
+});
+
+it('preserves non-empty flash data', function () {
+    Session::start();
+    Session::put('key', 'value');
+    Session::flash('message', 'Hello World');
+
+    $this->collector->collect();
+
+    $session = Context::getHidden('session');
+
+    expect($session)->toHaveKey('flash');
+    expect($session['flash']['new'])->toContain('message');
+});
+
+it('strips _token from session data', function () {
+    Session::start();
+    Session::put('key', 'value');
+    Session::put('_token', 'csrf-token-value');
+
+    $this->collector->collect();
+
+    $session = Context::getHidden('session');
+
+    expect($session['data'])->not->toHaveKey('_token');
+    expect($session['data']['key'])->toBe('value');
+});
