Plain text values in encrypted cookie Slim framework
-
21-12-2019 - |
Question
Documentation for Slim framework says it uses encrypted cookies for login. http://docs.slimframework.com/#Cookie-Session-Store
However, when I built my login system and inspected cookie values by Chrome extension for this, I found that there are plain text values in cookie. I thought I have done something wrong, so I downloaded example app by slimframework staff member https://github.com/briannesbitt/Slim-ContextSensitiveLoginLogout ..and checked value. It still looks something like this:
a%3A2%3A%7Bs%3A10%3A%22slim.flash%22%3Ba%3A0%3A%7B%7Ds%3A4%3A%22user%22%3Bs%3A16%3A%22brian%40nesbot.com%22%3B%7D
We can clearly see "slim.flash", "user" session variable names, email.. How can this be normal if cookie is "encrypted" ?
You can check configuration in github link's index.php
Solution
The default Slim configuration has cookies.encrypt set to false. In that example, you've:
$app = new \Slim\Slim();
Configure it to:
$app = new \Slim\Slim(array(
'cookies.encrypt' => true,
'cookies.secret_key' => 'YOUR_SECRET_KEY',
'cookies.cipher' => MCRYPT_RIJNDAEL_256,
'cookies.cipher_mode' => MCRYPT_MODE_CBC
));
Also, if you're using mcrypt as the above example don't forget to install the extension.