Laravel 5.5 升级到 5.5.42 后遇到的 Cookie 序列化问题

摘要：查阅官方文档后得知，新版为了防止对象的序列化反序列化漏洞被利用，不再对值进行自动的序列化和反序列化处理。举个栗子更新到后，因为不再自动对值进行序列化处理，而只能加密字符串数据，这个时候程序就会抛出错误。

最近手残升级了项目里 Laravel 的小版本号（v5.5.39 => v5.5.45），这不升级则已，一升级就出了问题！

Sentry 平台上提示错误：openssl_encrypt() expects parameter 1 to be string, array given，具体报错记录如下：

ErrorException
openssl_encrypt() expects parameter 1 to be string, array given
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in handleError at line 91
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in handleError at line 34
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in openssl_encrypt
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in encrypt at line 91
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in encrypt at line 139
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in handle at line 66
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRouteWithinStack at line 660
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRoute at line 635
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatchToRoute at line 601
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatch at line 590
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in IlluminateFoundationHttp{closure} at line 176
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 30
vendor/barryvdh/laravel-debugbar/src/Middleware/InjectDebugbar.php in handle at line 58
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/fideloper/proxy/src/TrustProxies.php in handle at line 56
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php in handle at line 27
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php in handle at line 46
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in sendRequestThroughRouter at line 151
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in handle at line 116
public/index.php at line 55

仔细查看上面的异常堆栈记录，并且进行断点调试，最终确定是由于 Laravel 5.5 升级小版本后 Cookie 加密的逻辑变动所导致的报错。

查阅 Laravel 官方文档（Laravel 5.5 Upgrade Guide）后得知，Laravel 新版为了防止 PHP 对象的序列化/反序列化漏洞被利用，不再对 Cookie 值进行自动的序列化和反序列化处理。

举个栗子：

Cookie::queue("user", ["id" => 1, "name" => "admin"], 720, "/")

Laravel 更新到 v5.5.42 后，因为 Laravel 不再自动对 Cookie 值 ["id" => 1, "name" => "admin"] 进行序列化处理，而 openssl_encrypt ( string $data ... ) 只能加密字符串数据，这个时候程序就会抛出错误：openssl_encrypt() expects parameter 1 to be string, array given。

解决方法：

新版里面在中间件 AppHttpMiddlewareEncryptCookies 新增静态属性 $serialize，当设置为 true 时可开启 Cookie 值的自动序列化和反序列化处理。

/**
 * Indicates if cookies should be serialized.
 *
 * @var bool
 */
protected static $serialize = true;

【推荐】将 Cookie 值使用 JSON 函数编码成字符串后再进行存储（获取 Cookie 值后需调用 JSON 函数进行解码）。

Cookie::queue("user", json_encode(["id" => 1, "name" => "admin"]), 720, "/");

-EOF-

首发于知乎专栏《PHP和Laravel学习》：https://zhuanlan.zhihu.com/p/...

扫码关注《PHP和Laravel学习》微信公众号：