3

I'm having an issue setting cookies in Laravel 5.6. I'm currently working on logging in with Facebook, and have it all working as expected except that the Access Token won't store correctly in the Cookies. For some reason, it keeps storing a value which I am not familiar with and I can't figure out why.

To test this, I have modified my callback function to set a test cookie, and the same behaviour happens.

Here is my route which is being called:

Route::get('{provider}/callback', 'Auth\LoginController@handleProviderCallback');

Here is my handleProviderCallback method:

public function handleProviderCallback(string $provider)
{
    Cookie::queue(Cookie::make('fb', 'test', 1000, '/', config('session.domain'), config('session.secure'), config('session.http_only')));
    return redirect('/');
}

And here is the cookie which is then set to fb: eyJpdiI6IkFROTRzU2ZhTGQwXC9DOHZoR3lqVDZnPT0iLCJ2YWx1ZSI6ImpqWE8wSVpDRzBzT1p2WGxPdE5pYlE9PSIsIm1hYyI6IjA5NzYxODQ0MmFkZmE2NDQ1YmU5Zjg2Y2NmNjU1N2RhZmVmNjcxZjJmYjhmZmViMWEwZGU5NTE5ZDYxMWY2ZjAifQ==

I have tried this using actual values of course, which is why I have now reverted to just a test value to see what is happening. I have tried clearing all my cookies and cache, as well as trying it in both Chrome and Safari.

Why is it always setting a eyJ... value instead of the value I tell it to?

Kyslik
  • 8,217
  • 5
  • 54
  • 87
TPHughes
  • 1,437
  • 11
  • 13

1 Answers1

5

Laravel encrypts & base64 encodes all cookies by default using App\Http\Middleware\EncryptCookies, so when you base64 decode the string you will get 

{"iv":"AQ94sSfaLd0\/C8vhGyjT6g==","value":"jjXO0IZCG0sOZvXlOtNibQ==","mac":"097618442adfa6445be9f86ccf6557dafef671f2fb8ffeb1a0de9519d611f6f0"}

which is encrypted data, actually only jjXO0IZCG0sOZvXlOtNibQ== is encrypted the rest is just meta data used for decryption with APP_KEY. Also value jjXO0IZCG0sOZvXlOtNibQ== is base64 encoded, after decoding it you get 5ІBKf:bm, which is the real encrypted value.

Note: eyJ base64 decoded is {" which is beginning of JSON.

You can read about application key / Laravel's encryption more in this answer https://stackoverflow.com/a/49445587/1564365.

You can disable encryption for testing (I mean debugging) in App\Http\Middleware\EncryptCookies middleware by setting $except = ['fb'], or just remove the middleware from kernel.php (comment it out!, and uncomment it later for production).

Kyslik
  • 8,217
  • 5
  • 54
  • 87