[5.4] The payload is invalid : DecryptException on Session

Laravel Version: 5.4.*
PHP Version: 5.6 & 7.1

Description:

I've upgraded 2 Laravel applications on 5.4 few months ago.

Those application were created on 5.1, and I've always follow the upgrade guide 1 month after any major release.

Since 5.4, I often have this kind of error on POST/PUT request :

Illuminate\Contracts\Encryption\DecryptException·The payload is invalid

app/Http/Middleware/CheckForMaintenanceMode.php:43 App\Http\Middleware\CheckForMaintenanceMode::handle  
             throw new HttpException(503);
        }
        return $next($request); //line 43
    }
}

This is the actual code for this middleware :

namespace App\Http\Middleware;

use Closure;
use Illuminate\Foundation\Application;
use Symfony\Component\HttpKernel\Exception\HttpException;

class CheckForMaintenanceMode
{

    /**
     * @var Application
     */
    protected $app;

    public function __construct(Application $app)
    {
        $this->app = $app;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @return mixed
     * @throws HttpException
     */
    public function handle($request, Closure $next)
    {
        if ($this->app->isDownForMaintenance()&&
            !in_array($request->ip(),])) {
            throw new HttpException(503);
        }

        if (!is_null($this->app->context->context)
            && $this->app->context->maintenance == true
            && !in_array($request->ip(), [])) {
            throw new HttpException(503);
        }

        return $next($request);
    }
}

Steps To Reproduce:

On those applications, there is around 5000 unique users per day. It happened around 300 times in the last 2 months. I've never find a way to reproduce it. I'm using bugsnag with the last laravel lib version, and this has been introduced with 5.4.

There was no server change when this issue appears the first time, and I don't use encrypt() or decrypt() directly, it's related to the session. The session driver is file on both applications.

I had the issue with php 5.6 on Debian 8, and still have it with php 7.1 on Debian 9.

The only one place where this exception is thrown is in the Encrypter class, getJsonPayload() method.

Middleware configuration:

protected $middleware = [
        \App\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
    ];

    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

        'api' => [
            'throttle:60,1',
            'bindings',
        ],
    ];

Any advise is welcome.

kidager

8 years ago

Level 1

I guess you have a typo in

!in_array($request->ip(),])

Shouldn't it be

!in_array($request->ip(),[])

or point to an array of IPs to be more correct.

Please or to participate in this conversation.