What is the significance of Application key in a Laravel Application?

17
votes

from laravel docs

Application Key The next thing you should do after installing Laravel is set your application key to a random string. If you installed Laravel via Composer or the Laravel installer, this key has already been set for you by the php artisan key:generate command.

Typically, this string should be 32 characters long. The key can be set in the .env environment file. If you have not renamed the .env.example file to .env, you should do that now. If the application key is not set, your user sessions and other encrypted data will not be secure!

What I know about application key is: If the application key is not set, generally I do get an exception.

  • How do this random string help to secure the session?
  • What are the other uses of this application key?
  • If I use the same application key everywhere (like staging, production etc..) does it make the application less secure?
  • what are some best practices for this key
1
phplaravel
please be kind to explain downvotes. so that I could delete this post if neccessory. thanks - Shobi
If I use the same application key everywhere (like staging, production etc..) does it make the application less secure? I even reset staging key on every deploy. - Kyslik
So every session is invalidated :), besides that from config/app.php: This key is used by the Illuminate encrypter service... - Kyslik
I don't know why downvote this is a very good question from what I know it's used in cookie encryption and session data encryption.May be it has some role in api security but i don't know I never tried to learn more about but now that you have put up this question I am curious - Vinay
Take a look at this general community question. - Eazy Sam

1 Answers

19
votes

As we can see its used in EncryptionServiceProvider:

public function register()
{
    $this->app->singleton('encrypter', function ($app) {
        $config = $app->make('config')->get('app');

        // If the key starts with "base64:", we will need to decode the key before handing
        // it off to the encrypter. Keys may be base-64 encoded for presentation and we
        // want to make sure to convert them back to the raw bytes before encrypting.
        if (Str::startsWith($key = $this->key($config), 'base64:')) {
            $key = base64_decode(substr($key, 7));
        }

        return new Encrypter($key, $config['cipher']);
    });
}

So every component that uses encryption: session, encryption (user scope), csrf token benefit from the app_key.

Rest of the questions can be answered by "how encryption" (AES) works, just open up Encrypter.php, and confirm that Laravel uses AES under the hood and encodes the result to base64.

Further more we can see how its all done by using tinker:

➜  laravel git:(staging) ✗ art tinker
Psy Shell v0.8.17 (PHP 7.1.14 — cli) by Justin Hileman
>>> encrypt('Hello World!')
=> "eyJpdiI6ImgzK08zSDQyMUE1T1NMVThERjQzdEE9PSIsInZhbHVlIjoiYzlZTk1td0JJZGtrS2luMlo0QzdGcVpKdTEzTWsxeFB6ME5pT1NmaGlQaz0iLCJtYWMiOiI3YTAzY2IxZjBiM2IyNDZiYzljZGJjNTczYzA3MGRjN2U3ZmFkMTVmMWRhMjcwMTRlODk5YTg5ZmM2YjBjMGNlIn0="

Note: I used this key: base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ= to encrypt Hello World!

After decoding the result we get (you can try decode your own cookie with session):

{"iv":"h3+O3H421A5OSLU8DF43tA==","value":"c9YNMmwBIdkkKin2Z4C7FqZJu13Mk1xPz0NiOSfhiPk=","mac":"7a03cb1f0b3b246bc9cdbc573c070dc7e7fad15f1da27014e899a89fc6b0c0ce"}

to understand above json (iv, value, mac) you need to understand AES:

Best practices for application key

  • do store it in .env file only
  • do not store it in app.php, in fact in any git tracked file
  • do not change it unless you really want to
    • invalidate sessions/cookies (user logout)
    • invalidate password reset tokens
    • invalidate signed urls

Obvious Note: Changing application key has no effect on hashed passwords since hashing algorithms do not require encryption keys.