All Products

PHP Framework

Starter Kits

Packages

Developers

Resources

Upcoming Events

Learn

Watch series
Laracasts

Featured products

Cloud

Cloud New

A fully managed application platform for deploying and hosting Laravel applications.

Pay as you go pricing
Nightwatch

Nightwatch New

Unparalleled monitoring and insights into your application's performance.

Get started for free
Forge

Forge

Provision VPS servers and deploy on DigitalOcean, Akamai, Vultr, Amazon, Hetzner, and more.

Plans from $12 / month
Nova

Nova

The simplest and fastest way to build production-ready administration panels using Laravel.

Licenses from $99

PHP Framework

Starter Kits

Packages

Developers

Resources

Upcoming events

Learn

Watch series
Laracasts
Blog / General

Laravel Cookie Security Releases

Today we released several fixes to address a security vulnerability in the framework that we were notified of during the weekend.

Application's using the "cookie" session driver were the primary applications affected by this vulnerability. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.

We have also released Passport 9.3.2 to provide compatibility with today's releases. If you are running Passport on Laravel 6.x or 7.x, you should update to today's Passport 9.3.2 release. The Passport release is not a security release; however, the library needed updates to be compatible with today's framework changes.

Regarding the vulnerability, applications using the "cookie" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads when an application is using the "cookie" driver.

Today's fix prefixes cookie values with an HMAC hash of the cookie's name before encryption and then verifies a matching hash on decryption, making it impossible to craft a valid cookie payload even if an encryption oracle is exposed via the application.

I would like to personally apologize for the inconvenience of today's security releases since the nature of this fix required us to invalidate existing encrypted cookies issued by Laravel applications. Thank you for your patience and understanding.

Keep reading

General April 4, 2024

Encryption and the In-between

Last year, we introduced a simple but surprisingly useful feature to Laravel Forge: the ability to add notes to servers. While checking the uptake of this feature, we noticed that customers were often storing sensitive data in the field. We hadn’t designed notes to store sensitive information, so we found ourselves in a situation where we now needed to encrypt existing unencrypted data, while also allowing for new data to be inserted as encrypted data - at the same time, the dashboard needed to be able to show the notes correctly whether they had been encrypted or not. Our migration process looked like this: 1. Run a command that encrypts all existing unencrypted server notes. 2. Update our model to cast the `notes` field, encrypting or decrypting as required. To do this, we leaned on [Laravel’s custom casts](https://laravel.com/docs/11.x/eloquent-mutators#custom-casts) feature to handle this “sometimes encrypted” data. We created a new cast `SometimesEncrypted` that allowed us to gracefully decrypt the encrypted notes, or simply return the plaintext version which may have been available during the migration: ```php

James Brooks

General December 19, 2022

Laravel Loves PHP 8.2

Last week saw the official release of PHP 8.2, bringing with it features such as read-only classes, DNF types, and much more. As you may have noticed, we've been busy preparing the Laravel framework, first-party packages, and the surrounding ecosystem to provide support for this exciting new release of PHP. ## Laravel If you want to use PHP 8.2 with your Laravel project, you should update your dependencies to use the latest versions of the framework as well as the latest versions of all first-party packages such as Cashier, Passport, Scout, etc. ![image](https://laravel-blog-assets.s3.amazonaws.com/cuNz2q7vmF8us0h934JhSY5hprK8lAAZPXw0siF4.png "image") Of course, you should also ensure you update any third-party packages accordingly. ## Forge If you use Forge to provision servers and deploy your applications, you may now select PHP 8.2 when creating a server. ![image](https://laravel-blog-assets.s3.amazonaws.com/yB1Yo6zGuJFpwyQIJeOW1SoD5ZWwiU7Tdh23c1cC.png "image") You may also install PHP 8.2 on existing servers from the "PHP" tab of your server's management dashboard. ![image](https://laravel-blog-assets.s3.amazonaws.com/PeQjgVeQlbYkqJGMyEw4N6eZVb8Q8nfVL7wAdzlR.png "image") ## Vapor We have also updated Vapor to provide PHP 8.2 support for our native and Docker runtimes. To update your native runtime to PHP 8.2, set the `runtime` option of your application's `vapor.yml` file to `php-8.2:al2` and redeploy your application. ![image](https://laravel-blog-assets.s3.amazonaws.com/O3QpHQ2GEvCxUCvkw59b8xiDvInhFqsOwIHd5PfV.png "image") If you are using the Docker runtime, you may update the base image in your Dockerfile to `laravelphp/vapor:php82` and redeploy your application. ![image](https://laravel-blog-assets.s3.amazonaws.com/6Lfm3nfio9eUHv9z0oNdEzfdrZH5NOyuOHxbps9I.png "image") ## Envoyer If you use Envoyer to manage your application's deployments, you may now select PHP 8.2 from your server's settings. ![image](https://laravel-blog-assets.s3.amazonaws.com/FswmEfdErIUr7iFQKQZkKM5TyEWEs3jbNawQOQfI.png "image") At Laravel, we're committed to providing you with the most robust, modern, and developer-friendly PHP experience. We hope you're as eager as we are to get started with PHP 8.2. With these updates to the ecosystem, it really couldn't be simpler!

Joe Dixon

General August 9, 2022

Laravel: New DB Commands

Following last week's release, which again focused on Artisan, this week Laravel v9.24 introduces three new DB commands and more.

Taylor Otwell

Stay connected with the latest Laravel news

Laravel is the most productive way to
build, deploy, and monitor software.

Products

Packages

Resources

Partners