Laravel Cookie Encryption

Laravel Cookie Encryption

Laravel encrypts and signs all cookies automatically, to prevent the client from modifying them.

Laravel’s encryption is done via the OpenSSL library with AES-256 and provides protection against anyone who tries to tamper with the data in the cookie, ensuring data integrity and security. This is particularly important when storing sensitive information in cookies.

If you need to access the value of this cookie within your Laravel application, you don’t have to do anything special; just use the Cookie facade or the $request->cookie() method, and Laravel will decrypt it automatically. For example:

$value = $request->cookie('my_cookie');


$value = Cookie::get('my_cookie');

So if you’re trying to read this cookie from a client-side script, or an external application, you won’t be able to easily decrypt the value, as it requires the application’s encryption key.

Working with Cookies in Laravel:

  1. Setting Cookies:
    You can set cookies using the Cookie facade or the withCookie method on the Response instance. For example:

    use Illuminate\Support\Facades\Cookie;
    public function setCookie(Request $request) {
        $minutes = 60;
        $response = new Response('Hello World');
        $response->withCookie(cookie('my_cookie', 'value', $minutes));
        return $response;

    In the example above, a new cookie with the name ‘my_cookie’ and value ‘value’ is attached to the outgoing response. This cookie will last for 60 minutes.

  2. Encryption:
    By default, all cookies generated by Laravel are encrypted and signed with an application-specific key, ensuring that the cookie’s value is safely hidden from the client and hasn’t been tampered with. The encryption uses the AES-256 cipher. This adds a layer of security as the client cannot read or alter the encrypted contents.
  3. Retrieving Cookies:
    When you need to retrieve the value of a cookie, you can do so with the Request instance’s cookie method or the Cookie facade, and Laravel will automatically decrypt the value for you:

    $value = $request->cookie('my_cookie');
    // Or using the Cookie facade
    $value = Cookie::get('my_cookie');
  4. Disabling Encryption:
    If you want to have unencrypted cookies, you can add the names of these cookies to the except array of the EncryptCookies middleware:

    namespace App\Http\Middleware;
    use Illuminate\Cookie\Middleware\EncryptCookies as Middleware;
    class EncryptCookies extends Middleware
         * The names of the cookies that should not be encrypted.
         * @var array
        protected $except = [
            'my_cookie',  // the cookie name you don't want to encrypt

Leave a Reply

Your email address will not be published. Required fields are marked *