Laravel Legacy Bridge is a package by Chris Keller (chr15k) designed for gradual migrations to Laravel. When a project is moved one route at a time, users can be logged into the old application but treated as anonymous by the new Laravel routes. The package closes this gap by reading the legacy session cookie on unauthenticated requests, fetching the session row from the legacy database, decoding the payload, and calling Laravel’s loginUsingId() for the matching user. After Laravel writes its own session, the middleware stops consulting the legacy store.
Installation is via Composer: composer require chr15k/laravel-legacy-bridge, followed by php artisan legacy-bridge:install. The install command is interactive and includes framework presets, prompts for legacy database credentials, and writes the needed environment entries. The package also ships a php artisan legacy-bridge:verify command, optionally with a specific session ID, to test configuration against the real legacy database without authenticating anyone.
Configuration covers both payload formats and user resolution. Supported formats are native PHP session encoding, JSON, Laravel’s base64(serialize()) format, and encrypted payloads using LEGACY_BRIDGE_APP_KEY. The resolver can be set to auto, an explicit dot-notation key, or a custom class; the custom option is also the place to map old user IDs to new ones when tables have been re-seeded. The README recommends starting with auto and locking down to key or custom before production.
The package dispatches typed events rather than logging: LegacySessionBridged on success, LegacySessionBridgeFailed for known failures, and LegacySessionBridgeError for unexpected exceptions. Failures include a BridgeFailureReason enum with cases such as MissingCookie, AmbiguousCookie, SessionExpired, PayloadDecodeFailed, and UserNotResolved, plus a BridgeContext DTO carrying the cookie name, session ID, payload, user ID, and request metadata.
Current limitations include support for legacy database sessions only, not file, Redis, or Memcached drivers; web routes only, not stateless API requests; and the default auth guard only. It requires Laravel 13 and PHP 8.3 or newer. Security notes warn that the bridge deserializes payloads from the legacy sessions table, so that database should be treated as a trust boundary and read-only credentials are recommended. The legacy cookie remains unencrypted by design, so HTTPS is required for both apps. The default after_write invalidation strategy deletes the legacy session once the Laravel session is written, and the docs advise against setting invalidation to never in production. Optional context carrying lets values such as locale or cart ID travel from the legacy payload into Laravel.