What is the significance of Application key in a Laravel Application?

Question

from laravel docs

Application Key The next thing you should do after installing Laravel is set your application key to a random string. If you installed Laravel via Composer or the Laravel installer, this key has already been set for you by the php artisan key:generate command.

Typically, this string should be 32 characters long. The key can be set in the .env environment file. If you have not renamed the .env.example file to .env, you should do that now. If the application key is not set, your user sessions and other encrypted data will not be secure!

What I know about application key is: If the application key is not set, generally I do get an exception.

• How do this random string help to secure the session?
• What are the other uses of this application key?
• If I use the same application key everywhere (like staging, production etc..) does it make the application less secure?
• what are some best practices for this key

Answer 1

As we can see its used in EncryptionServiceProvider:

public function register()
{
    $this->app->singleton('encrypter', function ($app) {
        $config = $app->make('config')->get('app');

        // If the key starts with "base64:", we will need to decode the key before handing
        // it off to the encrypter. Keys may be base-64 encoded for presentation and we
        // want to make sure to convert them back to the raw bytes before encrypting.
        if (Str::startsWith($key = $this->key($config), 'base64:')) {
            $key = base64_decode(substr($key, 7));
        }

        return new Encrypter($key, $config['cipher']);
    });
}

So every component that uses encryption: session, encryption (user scope), csrf token benefit from the app_key.

---

Rest of the questions can be answered by "how encryption" (AES) works, just open up Encrypter.php, and confirm that Laravel uses AES under the hood and encodes the result to base64.

Further more we can see how its all done by using tinker:

➜  laravel git:(staging) ✗ art tinker
Psy Shell v0.8.17 (PHP 7.1.14 — cli) by Justin Hileman
>>> encrypt('Hello World!')
=> "eyJpdiI6ImgzK08zSDQyMUE1T1NMVThERjQzdEE9PSIsInZhbHVlIjoiYzlZTk1td0JJZGtrS2luMlo0QzdGcVpKdTEzTWsxeFB6ME5pT1NmaGlQaz0iLCJtYWMiOiI3YTAzY2IxZjBiM2IyNDZiYzljZGJjNTczYzA3MGRjN2U3ZmFkMTVmMWRhMjcwMTRlODk5YTg5ZmM2YjBjMGNlIn0="

Note: I used this key: base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ= to encrypt Hello World!

After decoding the result we get (you can try decode your own cookie with session):

{"iv":"h3+O3H421A5OSLU8DF43tA==","value":"c9YNMmwBIdkkKin2Z4C7FqZJu13Mk1xPz0NiOSfhiPk=","mac":"7a03cb1f0b3b246bc9cdbc573c070dc7e7fad15f1da27014e899a89fc6b0c0ce"}

to understand above json (iv, value, mac) you need to understand AES:

• https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

---

Best practices for application key

• do store it in .env file only
• do not store it in app.php, in fact in any git tracked file
• do not change it unless you really want to
  • invalidate sessions/cookies (user logout)
  • invalidate password reset tokens
  • invalidate signed urls

Obvious Note: Changing application key has no effect on hashed passwords since hashing algorithms do not require encryption keys.