Laravel cookie encryption

Question

Is Laravel hashing differently request and response cookies?

I am using main domain and subdomains, and have set up CORS and CSRF and if I exclude cookies from EncryptCookies class I see the same cookies in the response headers and request headers.

If I leave them to encrypt however, I am getting different "encryption strings", and don't know if that is acceptable behaviour?

EncryptCookies class is only listed under web part in Kernel.php

What I meant is: encryption does not have to give the same "encrypted string" every time. E.g. http://www-cs-students.stanford.edu/~tjw/jsbn/rsa2.html — online Thomas, Dec 13 '17 at 12:43
Well that was in fact my question...is that what is supposed to happen or not — Norgul, Dec 13 '17 at 12:45
I have not read the code, but I **think** yes, this is not weird. Especially of the payload also might be changing. — online Thomas, Dec 13 '17 at 12:46

Ben · Accepted Answer · 2017-12-13T12:58:15.997

For Laravel Encryption:

Laravel's encrypter uses OpenSSL to provide AES-256 and AES-128 encryption. You are strongly encouraged to use Laravel's built-in encryption facilities and not attempt to roll your own "home grown" encryption algorithms. All of Laravel's encrypted values are signed using a message authentication code (MAC) so that their underlying value can not be modified once encrypted.

For each encryption, the value are encrypted with AES-256 / AES-128 with different initialization vector and signed with different MAC, even if you encrypt the same value, the payload, returned value of encrypt always different. For easier understanding, you can check this example:

$value = Crypt::encrypt('foo');
// eyJpdiI6ImVoNEVlVWpnYUdwZ1JHRlJWSGlTZEE9PSIsInZhbHVlIjoiVThpWjJNWVBqZnVsWjhLVWNDXC85VHc9PSIsIm1hYyI6IjFjMDRhOTM5ZThhOWRmYjk3Mzk0OWFmNTM3YWE1NDAzNzMxNWY5YTJmODMwNmQxZDE4NDllZGJkMjc1Y2I3ZmYifQ==
base64_decode($value);
// {"iv":"eh4EeUjgaGpgRGFRVHiSdA==","value":"U8iZ2MYPjfulZ8KUcC\/9Tw==","mac":"1c04a939e8a9dfb973949af537aa54037315f9a2f8306d1d1849edbd275cb7ff"}

The second attempt:

$value = Crypt::encrypt('foo');
// eyJpdiI6Ill5MmZleG5ycTBaZmQ5NnRDT3N3dVE9PSIsInZhbHVlIjoiTmgrRnlqajJjUk9qTk1qeHJLU21LUT09IiwibWFjIjoiNWEzZDRjZWMwMjg0ZDhlMjhlZWRiODg3ZWQ5MTcxN2I5N2JjY2ZmMzc0NTYyOTI5MThmOTk4YjAyZjM1YTRjMyJ9
base64_decode($value);
// {"iv":"Yy2fexnrq0Zfd96tCOswuQ==","value":"Nh+Fyjj2cROjNMjxrKSmKQ==","mac":"5a3d4cec0284d8e28eedb887ed91717b97bccff37456292918f998b02f35a4c3"}

How does it know then if it is the same token if the encrypted values are different? — Norgul, Dec 13 '17 at 12:50
Crypt::decrypt() will decrypt it and the value returned to you will be the same. `Crypt::decrypt(Crypt::encrypt('foo')) == Crypt::decrypt(Crypt::encrypt('foo'))` — Tschallacka, Dec 13 '17 at 12:51
related link: https://stackoverflow.com/questions/9049789/aes-encryption-key-versus-iv — Ben, Dec 13 '17 at 13:03

Laravel cookie encryption

1 Answers1