Plain text values in encrypted cookie Slim framework

Question

Documentation for Slim framework says it uses encrypted cookies for login. http://docs.slimframework.com/#Cookie-Session-Store

However, when I built my login system and inspected cookie values by Chrome extension for this, I found that there are plain text values in cookie. I thought I have done something wrong, so I downloaded example app by slimframework staff member https://github.com/briannesbitt/Slim-ContextSensitiveLoginLogout ..and checked value. It still looks something like this:

a%3A2%3A%7Bs%3A10%3A%22slim.flash%22%3Ba%3A0%3A%7B%7Ds%3A4%3A%22user%22%3Bs%3A16%3A%22brian%40nesbot.com%22%3B%7D

We can clearly see "slim.flash", "user" session variable names, email.. How can this be normal if cookie is "encrypted" ?

You can check configuration in github link's index.php

Answer 1

The default Slim configuration has cookies.encrypt set to false. In that example, you've:

$app = new \Slim\Slim();

Configure it to:

$app = new \Slim\Slim(array(
    'cookies.encrypt' => true,
    'cookies.secret_key' => 'YOUR_SECRET_KEY',
    'cookies.cipher' => MCRYPT_RIJNDAEL_256,
    'cookies.cipher_mode' => MCRYPT_MODE_CBC
));

Also, if you're using mcrypt as the above example don't forget to install the extension.