-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix cookie decryption when using psr7 #9263
Conversation
Cookies with serialized values sounds scary |
@lorenzo, I agree. But issue is with any value with URL encodable characters (encrypted values are one example). |
*/ | ||
public function testCanAssertCookieEncryptedWithAesWhenUsingPsr7() | ||
{ | ||
$this->_useHttpServer = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a method for this, but I can change that post merge.
Looks good to me |
I faced the same issues with CakePHP 3.3.5 while trying to implement a 'Remember Me' feature. Post Login using Form authentication, I was setting the cookie using default encryption and security salt.
In the AppController beforeFilter method, I have set up the script to read the cookie and relogin using the values.
However $this->Cookie->read always returns an empty string. Studying the Cookie Component Scripts, I have found the solution that solved the problem for me. The values passed to the _decode and _decrypt functions of Cake\Utility\CookieCryptTrait are urlencoded which is encoding the '=' in the prefix and causing the issue. I modified each of the two functions by adding a urldecode line to it (the first line), and that solved the problem.
|
Can you try deleting the old cookies and creating new ones. This sounds like the issue that was fixed in #9557. |
I tries deleting the old cookies. It did not help. I even tried building a different new cooking and had the same issue. Incidentally, this is a fresh install of CakePHP 3.3.5 and not an upgrade from an older setup. |
Can you try upgrading to 3.3.6? That version contains the fix from #9557 |
The upgrade took care of the issue. Thanks. |
When upgrading an application that uses encrypted cookies, tests failed. After looking for quite some time, I was able to spot cookies being transformed from the PSR7 response to Cake's own but with the
==
encoded; which was unsurprisingly breaking decryption.I should also add that I am not sure this is the best way to resolve this as I haven't played much with the new PSR7 support yet. Maybe the fix should go elsewhere.
Update Without this change, it also fails when using unencrypted cookies with serialized array values.