Fix cookie decryption when using psr7

[jadb]

When upgrading an application that uses encrypted cookies, tests failed. After looking for quite some time, I was able to spot cookies being transformed from the PSR7 response to Cake's own but with the == encoded; which was unsurprisingly breaking decryption.

I should also add that I am not sure this is the best way to resolve this as I haven't played much with the new PSR7 support yet. Maybe the fix should go elsewhere.

Update Without this change, it also fails when using unencrypted cookies with serialized array values.

[lorenzo]

Cookies with serialized values sounds scary

[jadb]

@lorenzo, I agree. But issue is with any value with URL encodable characters (encrypted values are one example).

[markstory]

There is a method for this, but I can change that post merge.

[markstory]

Looks good to me

[argentum-websolutions]

I faced the same issues with CakePHP 3.3.5 while trying to implement a 'Remember Me' feature.

Post Login using Form authentication, I was setting the cookie using default encryption and security salt.

$this->Cookie->write('CookieAuth', [
                            'username' => $this->request->data['mail'],
                            'password' => $this->request->data['password']
                            ]);

In the AppController beforeFilter method, I have set up the script to read the cookie and relogin using the values.

if (!$this->Auth->user() && $this->Cookie->read('CookieAuth')) {
// do something
}

However $this->Cookie->read always returns an empty string.

Studying the Cookie Component Scripts, I have found the solution that solved the problem for me.

The values passed to the _decode and _decrypt functions of Cake\Utility\CookieCryptTrait are urlencoded which is encoding the '=' in the prefix and causing the issue.

I modified each of the two functions by adding a urldecode line to it (the first line), and that solved the problem.

protected function _decode($value, $encrypt, $key)
    {
        $value = urldecode($value);
        if (!$encrypt) {
            return $this->_explode($value);
        }
         ...
         ...
}

protected function _decrypt($values, $mode, $key = null)
    {
        $values = urldecode($values);
        if (is_string($values)) {
            return $this->_decode($values, $mode, $key);
        }

        $decrypted = [];
        foreach ($values as $name => $value) {
            $decrypted[$name] = $this->_decode($value, $mode, $key);
        }

        return $decrypted;
    }

[markstory]

Can you try deleting the old cookies and creating new ones. This sounds like the issue that was fixed in #9557.

[argentum-websolutions]

I tries deleting the old cookies. It did not help. I even tried building a different new cooking and had the same issue. Incidentally, this is a fresh install of CakePHP 3.3.5 and not an upgrade from an older setup.

[markstory]

Can you try upgrading to 3.3.6? That version contains the fix from #9557

[argentum-websolutions]

The upgrade took care of the issue. Thanks.