19

from laravel docs

Application Key The next thing you should do after installing Laravel is set your application key to a random string. If you installed Laravel via Composer or the Laravel installer, this key has already been set for you by the php artisan key:generate command.

Typically, this string should be 32 characters long. The key can be set in the .env environment file. If you have not renamed the .env.example file to .env, you should do that now. If the application key is not set, your user sessions and other encrypted data will not be secure!

What I know about application key is: If the application key is not set, generally I do get an exception.

  • How do this random string help to secure the session?
  • What are the other uses of this application key?
  • If I use the same application key everywhere (like staging, production etc..) does it make the application less secure?
  • what are some best practices for this key
Shobi
  • 10,374
  • 6
  • 46
  • 82
  • please be kind to explain downvotes. so that I could delete this post if neccessory. thanks – Shobi Mar 23 '18 at 08:41
  • *If I use the same application key everywhere (like staging, production etc..) does it make the application less secure?* I even reset staging key on every deploy. – Kyslik Mar 23 '18 at 08:42
  • well, why you do that? @Kyslik – Shobi Mar 23 '18 at 08:43
  • 1
    So every session is invalidated :), besides that from `config/app.php`: *This key is used by the Illuminate encrypter service...* – Kyslik Mar 23 '18 at 08:44
  • 3
    I don't know why downvote this is a very good question from what I know it's used in cookie encryption and session data encryption.May be it has some role in api security but i don't know I never tried to learn more about but now that you have put up this question I am curious – Vinay Mar 23 '18 at 08:45
  • 1
    Take a look at this [general community question](https://security.stackexchange.com/questions/4755/web-application-encryption-key-management). – Eazy Sam Mar 23 '18 at 08:59
  • @Viney no it is not used in API security if - we talk about using [Passport](https://github.com/laravel/passport), package generates its own certificates as far as I know. – Kyslik Mar 23 '18 at 09:06

1 Answers1

21

It is used in EncryptionServiceProvider:

public function register()
{
    $this->app->singleton('encrypter', function ($app) {
        $config = $app->make('config')->get('app');

        // If the key starts with "base64:", we will need to decode the key before handing
        // it off to the encrypter. Keys may be base-64 encoded for presentation and we
        // want to make sure to convert them back to the raw bytes before encrypting.
        if (Str::startsWith($key = $this->key($config), 'base64:')) {
            $key = base64_decode(substr($key, 7));
        }

        return new Encrypter($key, $config['cipher']);
    });
}

So every component that uses encryption: session, encryption (user scope), CSRF token benefit from the app_key.

Rest of the questions can be answered by "how encryption" (AES) works, open up Encrypter.php, and confirm that Laravel uses AES under the hood and that the implementation encodes the result to base64.

An example using tinker:

➜  artisan tinker
Psy Shell v0.8.17 (PHP 7.1.14 — cli) by Justin Hileman
>>> encrypt('Hello World!')
=> "eyJpdiI6ImgzK08zSDQyMUE1T1NMVThERjQzdEE9PSIsInZhbHVlIjoiYzlZTk1td0JJZGtrS2luMlo0QzdGcVpKdTEzTWsxeFB6ME5pT1NmaGlQaz0iLCJtYWMiOiI3YTAzY2IxZjBiM2IyNDZiYzljZGJjNTczYzA3MGRjN2U3ZmFkMTVmMWRhMjcwMTRlODk5YTg5ZmM2YjBjMGNlIn0="

Note: I used this key: base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ= to encrypt Hello World!

After decoding the result we get (you can try decode your own cookie with session):

{"iv":"h3+O3H421A5OSLU8DF43tA==","value":"c9YNMmwBIdkkKin2Z4C7FqZJu13Mk1xPz0NiOSfhiPk=","mac":"7a03cb1f0b3b246bc9cdbc573c070dc7e7fad15f1da27014e899a89fc6b0c0ce"}

to understand above JSON (iv, value, mac) you need to understand AES:

Good practices for an application key

  • do store it in .env file only
  • do not store it in app.php, in fact in any git tracked file
  • do not change it unless you really want to
    • invalidate sessions/cookies (user logout)
    • invalidate password reset tokens
    • invalidate signed urls

Note: Changing application key has no effect on hashed passwords since hashing algorithms do not require encryption keys.

Kyslik
  • 8,217
  • 5
  • 54
  • 87