Issue
so as the title says I am getting an error in Laravel 5.5 in production
unserialize(): Error at offset 0 of 61 bytes
This however has not been happening before. It started to happen a week ago.
When user (guest) clicks on a button an ajax request is sent to the server that creates a cookie for user, saves it to DB and saves it to users browser
If the user is not authenticated and his cookie is not yet created, this code executes.
$hash = randHash(20);
// Cookie is saved into DB
Cookie::queue('Posts', $hash, 45000);
And afterwards there is a middleware on server which executes on every request.
if($cookie = Cookie::get('Posts')){
$cookie = Crypt::decrypt($cookie);
// Rest of code
}
The problem is that a week ago, newest cookies became unable to be unserialized. After I inspected it closer I found out this:
I decrypted the cookie without unserializing it and instead of looking like this:
s:20:"Cookie";
it looked like this:
SomeRandomString|Cookie
and as you can see, the second option can not be deserialized. I honestly have no idea how to fix this.
Here are some things that I tried or saw:
- Clearing sessions and caches - Did not work
- key:generate - Unable to do this, since it is in production
- $serialize variable in EncryptCookies to false - I am working in Laravel 5.5
EDIT
As I forgot to mention, the version was never upgraded. It has been deployed on 5.5 and stayed that way since.
Solution
This is an issue I encountered when an upgrade has taken place from laravel 5.4 to 5.5, which possibly took place a week ago (maybe without your knowledge, check git log on composer.json). Someone is trying to log into the site with a cookie that was signed in with when your application was 5.4, but now they wont work with 5.5, due to what I believe was a backwards compatibility miss.
To get a user back on a track with the site at 5.5, they can expire their cookies and they will be able to log back in.
Cast your eyes on the section in this Upgrading To 5.5.42 From 5.5 (Security Release): https://laravel.com/docs/5.5/upgrade
Upgrading to 5.5.42 removes cookie serialization from your application, therefore unserialize() is no longer called, and you dont get the error above.
I believe you are working on Laravel 5.5, but not the very last version, 5.5.42. When I did the update to 5.5 in composer, it missed this version as I applied the upgrade to 5.5 and nothing higher to minimize dependency changes.
You can repeat the error by logging out, clearing your cookies, checking out your 5.4 version, composer installing, logging in, installing your 5.5 version, and then hitting your local.
Its possible to catch the exception at middleware and handle there, but being rid of cookie serialization is the easier and secure way to go.
Answered By - Paul Stanley
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.