Reputation: 1023
Laravel's application key - what it is and how does it work?
From what I know, the app key in Laravel provides protection for session and sensitive data, but what I want to understand is how exactly does it work? What is the purpose of it? I couldn't find any information about it.
Upvotes: 41
Views: 22564
Answers (6)
Reputation: 486
Where it is used:
Every laravel component using encyption (not hashing) in your application uses APP_KEY. (Sessions, CSRF tokens and Cookies).
Where it is not used:
Where larvel using hashing, like Passwords, password_reset_token.
So, changing APP_KEY doesn't make any problems for your passwords or password_reset tokens.
How it works:
APP_KEY is a private string (encryption_key) in your application that nobody knows about. So, if only your application knows the key, only your application can decrypt data that is encrypted by this key. This is how its security works.
** For more information about how it functionally works you can simply check this file in your project: EncryptionServiceProvider.php
Some best practices are:
- Only store it in .env file. (Do not store it in config/app.php or any GIT tracked files)
- Change it only when these situations appears:
- You find out that your key may be leaked. (So others can decrypt your data)
- You want to logout all users (users managed by session not api tokens)
- You want to invalidate cookies.
Upvotes: 19
Reputation: 759
If you look at laravel core, there is an Encryptor class (namespace Illuminate\Encryption) which is using app_key. And there is a method which is
/**
* Encrypt the given value.
*
* @param mixed $value
* @param bool $serialize
* @return string
*
* @throws \Illuminate\Contracts\Encryption\EncryptException
*/
public function encrypt($value, $serialize = true)
{
$iv = random_bytes(openssl_cipher_iv_length($this->cipher));
// First we will encrypt the value using OpenSSL. After this is encrypted we
// will proceed to calculating a MAC for the encrypted value so that this
// value can be verified later as not having been changed by the users.
$value = \openssl_encrypt(
$serialize ? serialize($value) : $value,
$this->cipher, $this->key, 0, $iv
);
if ($value === false) {
throw new EncryptException('Could not encrypt the data.');
}
// Once we get the encrypted value we'll go ahead and base64_encode the input
// vector and create the MAC for the encrypted value so we can then verify
// its authenticity. Then, we'll JSON the data into the "payload" array.
$mac = $this->hash($iv = base64_encode($iv), $value);
$json = json_encode(compact('iv', 'value', 'mac'));
if (json_last_error() !== JSON_ERROR_NONE) {
throw new EncryptException('Could not encrypt the data.');
}
return base64_encode($json);
}
And this method is used in 2 places for session and cookies. Here is the methods
This is for the session
/**
* Prepare the serialized session data for storage.
*
* @param string $data
* @return string
*/
protected function prepareForStorage($data)
{
return $this->encrypter->encrypt($data);
}
And this is for the Cookies
/**
* Encrypt the cookies on an outgoing response.
*
* @param \Symfony\Component\HttpFoundation\Response $response
* @return \Symfony\Component\HttpFoundation\Response
*/
protected function encrypt(Response $response)
{
foreach ($response->headers->getCookies() as $cookie) {
if ($this->isDisabled($cookie->getName())) {
continue;
}
$response->headers->setCookie($this->duplicate(
$cookie, $this->encrypter->encrypt($cookie->getValue(), static::serialized($cookie->getName()))
));
}
return $response;
}
Of course there are also other packages using their own Crypto methods such as Swift Mailer in the vendor folder.
Upvotes: 0
Reputation: 1688
APP_KEY is used for encryption and not hashing. Every Data you encrypt in your application is using APP_KEY behind the scene. Do remember that encrypted data can be decrypted but hashed data cannot be decrypted.
A common misconception of APP_KEY is that it is related to Password hashing, the truth is it's not. and here is the proof.
You can see in the above tweet that APP_KEY has nothing to do with HASHED data
Upvotes: 35
Reputation: 88
App Key is used for all encrypted data, like sessions,Password, remember token etc. passwords saved with Hash::make() will no longer be valid after create app key:generate.
you can be get little some idea from here link1 and link2
Upvotes: -4
Reputation: 13325
The comment here says it's used in the ecrypter. I found it here and here used with openssl_encrypt and openssl_decrypt. Without that key you cannot decrypt anything encrypted with those two functions, like sessions cookies stored on the user computer. If they weren't encrypt anyone with access to them could log in to the application as you.
Upvotes: 10
Reputation: 3182
Actually Application Key is used for all the encrypted data in laravel.If the application key is not configured in .env, your all sessions and other encrypted data will not be secure!
Fore more laravel docs search for application key
Upvotes: 0
Related Questions
- What is the significance of Application key in a Laravel Application?
- When to generate a new Application Key in Laravel?
- Run a Laravel Application With or Without a Key
- Is my APP_KEY the only thing unique to Laravel's Crypt
- Laravel 5 Application Key
- What is the difference between application key and passport key in Laravel. What is the usage of both keys
- Why is there 2 APP Key in Laravel? .env and config/app.php
- How do I add a new APP_KEY to a Laravel project?
- Do I need to set the Application Key in Laravel 5.2
- Generating an application key in Laravel 4