DEV Community

Zubair Mohsin
Zubair Mohsin

Posted on

Laravel's default cookies and where to find them

#laravel #php #cookies #webdev

Laravel adds two cookies by default when you create a fresh project.

These cookies have encrypted data. Laravel takes care of encryption and decryption for us.

Where to find their implementation?

Laravel comes with many middlewares out of the box. You can see them in App/Http/Kernel.php.
Two such middleware classes are:

  • \App\Http\Middleware\VerifyCsrfToken::class
  • \Illuminate\Session\Middleware\StartSession::class

VerifyCsrfToken::class extend a base class of same name.

  • Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class

Above base class from framework contains the implementation fo XSRF-TOKEN cookie.

XSRF-TOKEN cookie implementation 

    /**
     * Add the CSRF token to the response cookies.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Symfony\Component\HttpFoundation\Response  $response
     * @return \Symfony\Component\HttpFoundation\Response
     */
    protected function addCookieToResponse($request, $response)
    {
        $config = config('session');

        if ($response instanceof Responsable) {
            $response = $response->toResponse($request);
        }

        $response->headers->setCookie(
            new Cookie(
                'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
                $config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
            )
        );

        return $response;
    }
Enter fullscreen mode Exit fullscreen mode

Session cookie implementation

\Illuminate\Session\Middleware\StartSession::class contains the same method as above.

    /**
     * Add the session cookie to the application response.
     *
     * @param  \Symfony\Component\HttpFoundation\Response  $response
     * @param  \Illuminate\Contracts\Session\Session  $session
     * @return void
     */
    protected function addCookieToResponse(Response $response, Session $session)
    {
        if ($this->sessionIsPersistent($config = $this->manager->getSessionConfig())) {
            $response->headers->setCookie(new Cookie(
                $session->getName(), $session->getId(), $this->getCookieExpirationDate(),
                $config['path'], $config['domain'], $config['secure'] ?? false,
                $config['http_only'] ?? true, false, $config['same_site'] ?? null
            ));
        }
    }
Enter fullscreen mode Exit fullscreen mode

Let me know if I missed a cookie 🍪 Happy coding with Laravel.

Oldest comments (3)

Collapse
 
williamabbott profile image
williamabbott

I'm actually getting 3 cookies:

"XSRF-TOKEN" => "9QD4JhJFKGx1C7CoTVRmr7CLMepjEOwbkf4kDimH"
"site_name" => "ddj5gOwBAuZ1nQjqUgBQcXTiuGCJ0ewRb7rP9vks"
"ddj5gOwBAuZ1nQjqUgBQcXTiuGCJ0ewRb7rP9vks" => "{"data":"a:4:{s:6:\"_token\";s:40:\"9QD4JhJFKGx1C7CoTVRmr7CLMepjEOwbkf4kDimH\";s:9:\"_previous\";a:1:{s:3:\"url\";s:20:\"http:\/\/site.test\/csrf\";}s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:3:\"url\";a:1:{s:8:\"intended\";s:25:\"http:\/\/site.test\/api\/stats\";}}","expires":1584961961}"
Collapse
 
zubairmohsin33 profile image
Zubair Mohsin

Is this a fresh Laravel application?

I was actually facing this problem and tried to debug it.

Are you using any 3rd party packages? 🤔

Collapse
 
williamabbott profile image
williamabbott

Ah, it was because I had SESSION_DRIVER set to 'cookie', so of course it's passing back the session data in a cookie, changing to 'file' will keep all this server side.

Read next

josefine profile image

Making Disabled Buttons more Accessible

Josefine Schfr -

epakconsultant profile image

Creating Your First Web App with FlutterFlow: A Comprehensive Guide

sajjad hussain -

antonmartyniuk profile image

Building Responsive Design Using Viewport CSS Units

Anton Martyniuk -

abbeyperini profile image

12 Tips from a Mid-level Developer

Abbey Perini -