Change cipher in Laravel encryption

Question

Previously, Laravel uses MCRYPT_RIJNDAEL_128 cipher for encryption (in <5.0). Now it's AES-256-CBC (>=5.1). Mcrypt seems to be abandonware and we should not use it.

I have an app written for Laravel <5.1 and migrated to Laravel 5.1. Can I change the cipher, or will it break everything?

EDIT:

In other words, can I switch from MCRYPT_RIJNDAEL_128 to AES-256-CBC in a Laravel production application with a populated database, connected users, etc. without service interruption/degradation or bug?

Answer 1

Yes you can do so. The only "built in" side effect should be that your users get logged out.

I say "built in" because if you have something else using that encryption key (running crypt/decrypt on data in your db, api/auth tokens, etc) then you'd have to figure out how to migrate those as well.

Answer 2

I just tried it in a running application, and at least it throws Exceptions for users that already have Cookies/Sessions and when you are using 'encrypt' => true in config/sessions.php (which is disabled by default).

ErrorException in Encrypter.php line 101: openssl_decrypt(): IV passed is 32 bytes long which is longer than the 16 expected by selected cipher, truncating

Edit: This can be fixed by editing app/Http/Middleware/EncryptCookies.php and add this function:

protected function decrypt(Request $request)
{
    foreach ($request->cookies as $key => $c) {
        if ($this->isDisabled($key)) {
            continue;
        }

        try {
            $request->cookies->set($key, $this->decryptCookie($c));
        } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
            $request->cookies->set($key, null);
        } catch (\ErrorException $e) {
            $request->cookies->set($key, null);
        }
    }

    return $request;
}

This will remove the cookies that cannot be decoded, so basically it logs the user out.