Cookie serialization problems encountered after Laravel 5.5 upgrade to 5.5.42

Recently, the small version number of Laravel (v5.5.39 = > v5.5.45) in the project has been upgraded for the manual disabled. If it is not upgraded, it will have problems as soon as it is upgraded!

Error prompt on Sentry platform: openssl_encrypt() expectations parameter 1 to be string, array given. The specific error record is as follows:

ErrorException
openssl_encrypt() expects parameter 1 to be string, array given
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in handleError at line 91
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in handleError at line 34
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in openssl_encrypt
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in encrypt at line 91
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in encrypt at line 139
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in handle at line 66
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRouteWithinStack at line 660
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRoute at line 635
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatchToRoute at line 601
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatch at line 590
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in Illuminate\Foundation\Http\{closure} at line 176
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 30
vendor/barryvdh/laravel-debugbar/src/Middleware/InjectDebugbar.php in handle at line 58
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/fideloper/proxy/src/TrustProxies.php in handle at line 56
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php in handle at line 27
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php in handle at line 46
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in sendRequestThroughRouter at line 151
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in handle at line 116
public/index.php at line 55

Check the above exception stack record carefully and debug the breakpoint. It is finally determined that the error is caused by the logic change of Cookie encryption after the upgrade of Laravel 5.5.

Check official Laravel documentation( Laravel 5.5 Upgrade Guide )Later, we learned that in order to prevent the serialization / deserialization vulnerability of PHP objects from being exploited, the new version of Laravel no longer automatically serializes and deserializes Cookie values.

Here's a chestnut:

\Cookie::queue('user', ['id' => 1, 'name' => 'admin'], 720, '/')

After Laravel is updated to v5.5.42, because Laravel no longer automatically serializes the Cookie values ['id '= > 1,' name '= > admin'], openssl_encrypt (string $data...) can only encrypt string data. At this time, the program will throw an error: openssl_encrypt() expectations parameter 1 to be string, array given.

resolvent:

  • In the new version, the static property $serialize is added to the middleware AppHttpMiddlewareEncryptCookies. When it is set to true, automatic serialization and deserialization of Cookie values can be enabled.
/**
 * Indicates if cookies should be serialized.
 *
 * @var bool
 */
protected static $serialize = true;
  • [recommended] use JSON function to encode Cookie value into string and then store it (call JSON function to decode after obtaining Cookie value).
\Cookie::queue('user', json_encode(['id' => 1, 'name' => 'admin']), 720, '/');

-EOF-

First published in Zhihu column "PHP and Laravel learning": https://zhuanlan.zhihu.com/p/...

Scan code focuses on PHP and Laravel learning WeChat public:

Tags: PHP Laravel JSON

Posted on Sun, 01 Dec 2019 10:18:59 -0800 by Major Tom