Laravel EncryptCookies::decrypt() throws exception randomly in Chrome

Question

It seems cookie decryption is randomly failing in Google Chrome.

protected function decrypt(Request $request)
{
    foreach ($request->cookies as $key => $c) {
        if ($this->isDisabled($key)) {
            continue;
        }

        try {
            $request->cookies->set($key, $this->decryptCookie($c));
        } catch (DecryptException $e) {
            dd('exception: ', $e);  // added by me to see the failure
            $request->cookies->set($key, null);
        }
    }

    return $request;
}

Here is the output when it fails:

"exception: "
DecryptException {#318 ▼
  #message: "The payload is invalid."
  #code: 0
  #file: 
"C:\...\vendor\laravel\framework\src\Illuminate\Encryption\Encrypter.php"
  #line: 191

There are a couple of posts about X-XSRF-TOKEN failing on decryption sometimes:

Laravel DecryptException - The payload is invalid https://www.reddit.com/r/laravel/comments/4xl01y/xxsrftoken_fails_frequently_on_decryption_and/

Strangely, whenever I refresh the page, sometimes the DecryptException is thrown but most of the time the try statement succeeds. When I test in IE and Firefox, the try statement always succeeds.

I deleted cookies etc. from Chrome but that didn't fix the issue.

I appreciate any thoughts as I have spent many, many hours on this problem.

UPDATE 1: When I remove the 'remember_web_...' cookie, I no longer get an exception. Still, I have no idea why the remember cookie would cause a decryption exception sometimes in Chrome.

UPDATE 2: More puzzle pieces. When decrypt() throws the exception, the cookie it is decrypting is only a part of the request cookie which explains the exception. For example, the cookie in the request header of the client is

eyJpdiI6IjRaZ3dpVlNMRjB0TEJiNCtRVlUrN2c9PSIsInZhbHVlIjoicHJNYUdOMDc3azdJXC9
sV0lYTThZTDB6aERXV1JwTFhTb2xVbEdEaXhVekJmTkFoVGVQalFEK2ZqamNPWUFHcVREZE9cL3
pjQjRGdHBcL25scENJN0UxRGc9PSIsIm1hYyI6IjI5MzdhNzJiNmNhOTMyNmE2NjhmNzI4ZGRlM
2ZlZWVjM2Q3NGFiYmEzMGZhZmIxZWZlYWNmYzNlZjAzOWU0OWIifQ%3D%3D

But the cookie being decrypted is missing the last 89 characters of the client request cookie:

eyJpdiI6IjRaZ3dpVlNMRjB0TEJiNCtRVlUrN2c9PSIsInZhbHVlIjoicHJNYUdOMDc3azdJXC9
sV0lYTThZTDB6aERXV1JwTFhTb2xVbEdEaXhVekJmTkFoVGVQalFEK2ZqamNPWUFHcVREZE9cL3
pjQjRGdHBcL25scENJN0UxRGc9PSIsIm1hYyI6IjI5Mzd

Here is a screenshot illustrating the issue: cookie mismatch

I think the question now is, why is the cookie in the server-side Request header missing part of the cookie from the client-side request header?

UPDATE 3: The amount of missing characters in the cookie seems dependent on the cookie name length. When I use a really long cookie name, the amount of missing characters increases and vice versa. This also explains why removing the remember cookie or the XSRF cookie fixes the issue. Again, this only fails sometimes so I am not sure why it isn't constant.

because your encryption token is invalid check you pass token for dicript is right — Ravindra Bhanderi, Apr 07 '18 at 03:57
I face this problem before my case i sub stract token from concated token this process in my last character is token come into my token. so some time that trough this type of Exception payload is invalid — Ravindra Bhanderi, Apr 07 '18 at 04:00
@RavindraBhanderi I understand that the exception is thrown because of an invalid token. Why is the token invalid? And, why does this only happen with Chrome? — Andy White, Apr 07 '18 at 13:47
@Kyslik Thanks for the thought but I haven't changed the app_key — Andy White, Apr 07 '18 at 13:48

Laravel EncryptCookies::decrypt() throws exception randomly in Chrome

0 Answers0