[5.1] Disable encryption for certain cookies

[franzliedke]

This has been a long-requested feature (#3440, #4134, #6421, #6679), so I wanted to try to get this in before the 5.1 release.

For example, in my FluxBB auth bridge package, I could put this code in the service provider:

Illuminate\Cookie\Middleware\EncryptCookies::disableFor('fluxbb_cookie_1234');

After considering the options, I think a blacklist in the middleware is the best middle ground between small code changes, ease of use and keeping the concept to this contained in this middleware.

/cc @davejamesmiller @RomainLanz @raulp @maclof

Closes #6679.

[taylorotwell]

This is a pretty sensible approach. Thanks!

[maclof]

@franzliedke great job dude, definitely going to be trying this out today!

[d13r]

Shouldn't that be static::$disabled = rather than disabled[]?

[franzliedke]

Thanks for the heads-up. One late-night refactoring too much. I sent a PR fixing this.

[d13r]

Thanks @franzliedke, that looks like a good solution.

[iJoyCode]

@franzliedke +1

[RomainLanz]

Thanks @franzliedke

[noil]

I try to use this functional (I put this code in the service provider: Illuminate\Cookie\Middleware\EncryptCookies::disableFor('fluxbb_cookie_1234');) but error happened. "Non-static method Illuminate\Cookie\Middleware\EncryptCookies::disableFor() should not be called statically, assuming $this from incompatible context"

[willrowe]

The final implementation of this feature made the method non-static. The docs explain how to exclude cookies.

[d13r]

The docs explain how to exclude them from the app itself, but not from a package / service provider...

I haven't tested it yet, but my guess would be something like this:

// Check in case the user removed the middleware from their application
if (class_exists('App\Http\Middleware\EncryptCookies')) {
    // Get an instance of the middleware from the IoC container, and call the method
    app('App\Http\Middleware\EncryptCookies')->disableFor('fluxbb_cookie_1234');
}

I'm not sure if app('Illuminate\Cookie\Middleware\EncryptCookies') would work - it might return a different object than app('App\Http\Middleware\EncryptCookies').

Edit: Or, alternatively, do nothing special in the code and tell the user to add the exclude to App\Http\Middleware\EncryptCookies in the installation instructions.

[revengel]

Hi. What news about 'disableFor' method? How I can disable some cookie encryption in package? (Laravel 5.1)

How to use method 'disableFor' in my code? Please help.

app('App\Http\Middleware\EncryptCookies')->disableFor('foo');  // no works for me

[tillkruss]

app('App\Http\Middleware\EncryptCookies') returns a different object each call.

How exactly can disableFor() be called?

[mattcrowe]

I don't know if this is the best way to do this, but to get this to work I added the following to the "register" method in:

App\Providers\AppServiceProvider:

use Illuminate\Cookie\Middleware\EncryptCookies;

//...

public function register() {
$this->app->singleton('Illuminate\Cookie\Middleware\EncryptCookies', function($app) {
return new EncryptCookies($app['Illuminate\Contracts\Encryption\Encrypter']);
});
}

[d13r]

That can be reduced to:

public function register() {
    $this->app->singleton('Illuminate\Cookie\Middleware\EncryptCookies');
}

[tillkruss]

Ah, thanks, cool solution. I solved it like this in my tests:

$this->app->resolving(EncryptCookies::class, function ($object) {
    $object->disableFor('c');
});

[gibtang]

Is this going to the next release? Disabling encryption for certain cookies is useful for me too, especially when I need my cookie to interact with JS

[larabelt]

Disabling cookie encryption appears to be easier in 5.3:

https://laravel.com/docs/5.3/responses#cookies-and-encryption