Laravel Cookie Encryption

Laravel Cookie Encryption

Laravel encrypts and signs all cookies automatically, to prevent the client from modifying them.

Laravel's encryption is done via the OpenSSL library with AES-256 and provides protection against anyone who tries to tamper with the data in the cookie, ensuring data integrity and security. This is particularly important when storing sensitive information in cookies.

If you need to access the value of this cookie within your Laravel application, you don't have to do anything special; just use the Cookie facade or the $request->cookie() method, and Laravel will decrypt it automatically. For example:

<span class="hljs-variable">$value</span> = <span class="hljs-variable">$request</span>->cookie(<span class="hljs-string">'my_cookie'</span>);


<span class="hljs-variable">$value</span> = <span class="hljs-symbol">Cookie:</span><span class="hljs-symbol">:get</span>(<span class="hljs-string">'my_cookie'</span>);

So if you're trying to read this cookie from a client-side script, or an external application, you won't be able to easily decrypt the value, as it requires the application's encryption key.

Working with Cookies in Laravel:

  1. Setting Cookies:
    You can set cookies using the Cookie facade or the withCookie method on the Response instance. For example:

    <span class="hljs-keyword">use</span> <span class="hljs-title">Illuminate</span>\<span class="hljs-title">Support</span>\<span class="hljs-title">Facades</span>\<span class="hljs-title">Cookie</span>;
    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">setCookie</span><span class="hljs-params">(Request $request)</span> </span>{
        $minutes = <span class="hljs-number">60</span>;
        $response = <span class="hljs-keyword">new</span> Response(<span class="hljs-string">'Hello World'</span>);
        $response->withCookie(cookie(<span class="hljs-string">'my_cookie'</span>, <span class="hljs-string">'value'</span>, $minutes));
        <span class="hljs-keyword">return</span> $response;

    In the example above, a new cookie with the name 'my_cookie' and value 'value' is attached to the outgoing response. This cookie will last for 60 minutes.

  2. Encryption:
    By default, all cookies generated by Laravel are encrypted and signed with an application-specific key, ensuring that the cookie's value is safely hidden from the client and hasn't been tampered with. The encryption uses the AES-256 cipher. This adds a layer of security as the client cannot read or alter the encrypted contents.
  3. Retrieving Cookies:
    When you need to retrieve the value of a cookie, you can do so with the Request instance's cookie method or the Cookie facade, and Laravel will automatically decrypt the value for you:

    $value = $request->cookie(<span class="hljs-string">'my_cookie'</span>);
    <span class="hljs-comment">// Or using the Cookie facade</span>
    $value = Cookie::get(<span class="hljs-string">'my_cookie'</span>);
  4. Disabling Encryption:
    If you want to have unencrypted cookies, you can add the names of these cookies to the except array of the EncryptCookies middleware:

    namespace <span class="hljs-type">App</span>\<span class="hljs-type">Http</span>\<span class="hljs-type">Middleware</span>;
    use <span class="hljs-type">Illuminate</span>\<span class="hljs-type">Cookie</span>\<span class="hljs-type">Middleware</span>\<span class="hljs-type">EncryptCookies</span> as <span class="hljs-type">Middleware</span>;
    <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">EncryptCookies</span> <span class="hljs-keyword">extends</span> <span class="hljs-title">Middleware</span></span>
        <span class="hljs-comment">/**
         * The names of the cookies that should not be encrypted.
         * @var array
        <span class="hljs-keyword">protected</span> $except = [
            <span class="hljs-symbol">'my_cooki</span>e',  <span class="hljs-comment">// the cookie name you don't want to encrypt</span>

Leave a Reply

Your email address will not be published. Required fields are marked *