bmac32's avatar

Laravel Creating Random Cookies

In addition to my session and XSRF-TOKEN cookies, my laravel project creates multiple cookies with random strings. I'm not sure where or how these get set but we are running into an issue where our app is creating 5-6 of these cookies and is causing nginx to error out with "Request Header Or Cookie Too Large ". I am having a hard time finding any documentation on this anywhere. Any thoughts/suggestions would be greatly appreciated.

I know that I can increase the size of the large_client_header_buffers but I would like to understand what and why this is happening. Thanks!

https://i.redd.it/roawv3qi0u911.png

0 likes
11 replies
bobbybouwmann's avatar

Laravel creates by default 3 cookies as far as I know

  • XSRF-TOKEN: used to verify csrf token for posting data
  • laravel_session: this cookie holds all session items. Even if you don't have any session set this cookie is created. If you don't want that you need to use the array driver for sessions
  • remember_web_59ba36...: When you login using the remember_me functionality this cookie will be created to remember you ;)

Any other cookies might be created by your own code or by third party packages! Can you show the name of the cookies that you want to get rid of?

bmac32's avatar

Thanks for the quick response, Bobby. The extra cookies are not remember_me cookies, Their names appear to be a random hash and their values seem to be similar to the laravel_session but are much longer. I'm including a few examples below. It's hard to debug where these are coming from but it appears that they are regenerated after new sessions. So if I log out and log back in, I'll have a new one created. This is causing the headers/cookie too large issue after several logins/outs due to all the cookies being sent back and forth.

Also, here is one other post where I could see someone posting about it: https://stackoverflow.com/questions/36342882/laravel-cookie-storage-gets-exceeded-after-every-few-visits

Examples of cookie names: name: yHNNOiCLwyAZlYbUTiNUOihoeQyNpHSUfeqn6Tgz value: eyJpdiI6InU1bUc1bW5QV3VNTDJKdTdCYUtcL2JnPT0iLCJ2YWx1ZSI6ImlVVVZVUHVVVVhhcHFUeG14UkpCblltekplTmFmZndRSk5ydERmSHpMR1wvT1J0M29tTXhJYUtYZlZrWUFua2MrOHZlV2xPaytLb0xrd0c4eWZEYWM5bUg0bFlhYVhGWkJ3Wkk4YWpPcitPRW1kS1ZsT3h4UWJsTW5aQUVoUXJJZ0pJbktyUjB1RHh3UHZqZWJVOHpZRVNkaVA0SjJFWFRyWEN5M3htN2xtUjB0NU1JWVwvTDl1a3NROGZrRkV1a2FsQW44QjdvSmh3VHE3OXVhU25KSzFQS3lYMzNFcU9BVFZpUXBPRmtGMG9nK1FScDBjK3JlT3pkUnNQYUR3NzltZXBaSEs5SkxhbHRNRVNUd2tURUlCOWpRWktzZGt3UEdJVXZpUGNVMWQ5aDFWdzBlSkRcL1JjQ0dMY2Y0anpIaU5VSVQ2Qnc5QUd5NU85QVhHam5tOWwzb2w5R1BWRnlzR2hoakRPSFIwZHJDQXFya1VPdEM2TFBmdlhxKzJGQmZMaHE3QktqVjRVdlZTdmVYeWZ3V2YxVUtITE90WkkwZXV6ZnArbnVQTCtYNkdMSzI3amR5RVdWMk5PRHF2UWJtZ1hoaEcrdmtcL2NRNWpDaVlubzBZSExQczN6V1hDNlpcL3RRdmtsREErOVVvWnNRVzJpMnVEYlhUYWJwTWFjcnJzdW1hSlpoM1ZcL2IrakhJc2hRdUx6dXZQaEY3QXBvYnMxdElsckdRZFwvRFlBWnRpeHdkbzZhcHhTa0FKZ1A5OVg0bG1lcVlNeGF0SUs5aW41WEloU0h6MEszR2xrOWZKU1dcL0lUWFlTVkdxOWRHZ1wvaGdDd1FIamNsdlo4V21MREtDQ25ld3M2Nm1GT0lPVkhDRUZBNlhBU1BRPT0iLCJtYWMiOiIwNGVkNDg4NjU0OGNhMjY0NDk4MzMzNzg5ODQzMjI2ZjFkOGE3Njg3NjFhODk3ZjViNTc2NzI0MzljNDM0OTllIn0%3D

name: tiW08Y3FI0IFaO3x5G8aWLRzNfcHJiNAvhty439x value: eyJpdiI6IkhWM2VrYU5TdUoxbDFGajgrOG0wbmc9PSIsInZhbHVlIjoibjFFZXVUUXBCYXJSMHhiMG9NMURkb2hRdHlXcXVtRjJSQm5NXC94RXdrUkVpU1wvXC95b1RndFVCZk91VmpxS1dWR3Z3UVQwRmk0TktsbW5HRkpabXFqS2J3U1MxYnI5MTNOOWszTElTdFJndGIycmorOGdxZUVXV1NSck1pNUI1VFZUTHo1cTF3ekFia1NkeG9jSGxrVzNkN0tITnFBNm9IQUlpSjk4d3NpazlxTkhPUVwvXC9sZ1VrRk5uXC9ZNmZUR0F3SUwyXC9US0N6MERHY1ZKVWtWV3g3RmdsN0lYbFAyNHVtaXdCYUN1b2NLOFYxV2p6dWhTZHZDYmtXRWZ2b01mbVZsWWlFd2NiWlJwdWRGaVwvQ1pocnZqaG5GWWxLZU5FVHdNYkp4SWhXZjhjVWRrTGx3T1RTdzRLUWR1ZXhTRjZINHlSSlwvYkxBSWoycTc2Q3RLREJOcnZHcjFnMVU0bStJSkNnMFZCWUVJcmFYZmVENExPenVIcHlKQitTTnpQM2lHbDRveSt1Z3pZdkNWV05iWm9EUVZPTWNxSnNiZ00rVjNyNmZWUElTdEZ0NVA3TDhHcFJrVGRkQ0FyZTlHTDJqcXk5WFJiVjhUbDdUTERrZWtmU1ZnNFI3QjN2WThhd1wvTUhQd2hzQk0wT1h5U0NmRCttK1ZOSmNKb29wN0lOYmdKd2t2cWU4T1l2YUFrcENmbWRqS0pHS3EwaW96RHBaMnpQSjc3dGtIUktHb2JwVHRSXC9KYmprV0l6Qm1BQkZCcWphQnhHVE9tYWdzVXVwZHhDZDRVTHB1YkJORThuZXg3OEZKZVMzaGJLeUhCeWJleGVlbm5ZS0pKU3JQOGsyZ2dIaXhGU1RoSnQ2XC9BOE84dExcL2Mxek8waEJLTEZBZjJjckRIQzZPQ3RcL3AwRVwvV3NJbE84U04raWQ5RVBDRDB2RDRwNmRhUzFYenBnbU90VE9XTjJlWjA2dnl3WFdUS3FMWityeWNrUFRXNjluNml0dkV5RUJvM01XSlwvM3Jsc3FNcG10TVVnUVF6ckRvOXhzb2h5TXVPemdhTFVxU21QSkpSQ3NSWmNtQUZmZHFpRFZhaG82RTRaYW80ZXBKQkI4bWQ0WktUS3VhZU0rbHdtVmVJS2ZndjZxVVQ0a2JYNHN4b2RpNWpTUEJydThmalJOOVFPRmxndzZuNFZ4TEtIMUx6VzYrOEh1aktzVVRFdk9FUGNMU3hoOWJcL1VORGtmbjRTaFMzQ1QzczM4RzQ9IiwibWFjIjoiNDZlZTE0ZGI0MmVjNDJiMDg3ODE1MzhkY2M2N2EyM2Q2ZTRhMTkzYzkyNzI0MDkwYTMyMmRmZmUzNTllZWQ2NiJ9

name: wImwZtR3GCNiKGNEgdSWcgI7rJSE4IExvOhmddNf value: eyJpdiI6Ino5dk50Um1FUVY3UVwveVVoUFg4c2FBPT0iLCJ2YWx1ZSI6IlBqc1VKbzBiTnFadmdLQmNHSHFnQjltUWJ6d3c5WVpHYzdVWm9oVFp1ZGJVdVMzQlRla1J4a1h6ekpMdzUxWFwvWkNzUkdqRFFhZmVyV3VPVXhIUFlGTWc5TnJXcTJKaElIT3VrTktSa1wvWDhIQXBtREZiUzJobGRqRG1vOHJSdXVZUmdVTHlRa1dGYlpxSFdxUG10TkNMcFIwSTg3U1k1N0JXSUJSYjJ1QTQzZHZDdkVBY0lxVnJ3Zld6RFNqdlFYd0tvZ3gxXC9XbFJTenZDeERvOEp3U2diMzV6NXBNUFN5Zm1STzhqQlJpK1UxSGlLcXNRYlljSHlLSjRYU3FrSTVNQ1JUaGRYSEo1NE9sZnE2ZDBwQ2pPRUxKNkxNR2k1TkQrckxqb21mOXhaVTFWTXo0S1hrTGFiWTNBUjZEQlZxTDlpWXorQjU3ZDVWTlJLTXo4UFwvcTdJdkdCRjVjTEhGUmJDYTUyXC9mcXlHM3BoT0ZiVU96eEhvQ0g0OEtLTTJRdlczckJZRzJ5eUI5VmVjT2JjODRFMDJDYnpRWVVUYVphazFiTitHQnNlZG9hakFqZEZJRlNqUXFxUkdCMVZmbzF5VDRRSDcxRWNCRFNcL25KaTJhNXlOb1gza3c2MldvOE1udVwveGFnSjNPeFFGNU1wSjFJZVwva0xab1NZWG90SDNNeW9cL01Wb0c1U29LbXdOeFNoTE0yNitLanZWWjhvZGd3eThZVHhvSlFiMDhKWjBwQmZodTFTWlRtMW5jcTZPdTFZMlJpekVtM1FMYWlBbWo0dVp4XC9HVGRVMGdYWjJIbVJ3SW1Pc1ZkZmVTOVZZbzVYQjhpdlBKK3JKNFBNbGEzNFJJXC9lUmFpWUJtcHFEcXFzcncwRDBoQVN5b0NHWTdLTjV4cDdOMnZobVhUM2tIQmM0ckVjcldibjhlMGt2RFV0SHJnMkxJUlF4Y2tGK1M4MjQ4WnNwdXBRdENrZXdQXC9hbGc4cmxBV2sxOTFXNGw5YlRNeTRCYnVMNE9RK1ROSHhTSzhpZGdzdWUrWVJNNDVZVno3SlwvUFwvcCt3V1Bvc1oxcjlEWUwxemdUNEVBMDBnMzQrVzgyc043OXVydm56SmF1bldZSGFnMjFGVnd4NjljbjcyMFFURzBEa2FCcmtqYzhLRGgrcGc4QlhjbmVyRG9EU2c0eDVuR2hXN3hZWWJ0bXhOYWt6cDJoZVwvVWswRitlUmo5V2dGTUFyZEZ3TDM5MFgzZDNxNjJvRT0iLCJtYWMiOiIyNTBjNmVlMWUyZTYyNjA5Mjk1NWM4ZTZlZDM4YmJhNTk1MDU5ZmU2ODY0YzhiMTY0MDhhZWE1NGMwYWI0NjA5In0

And finally, my composer.json: "require": { "php": "^7.1.3", "barryvdh/laravel-cors": "^0.11.0", "fideloper/proxy": "^4.0", "guzzlehttp/guzzle": "^6.3", "jcf/geocode": "~1.3", "laravel/framework": "5.6.*", "laravel/tinker": "^1.0", "league/flysystem-aws-s3-v3": "~1.0", "ramsey/uuid": "^3.7", "sentry/sentry-laravel": "^0.9.0", "stephanecoinon/papertrail": "^1.1" },

bmac32's avatar

I just created a test project and added each of the required packages above. I then flushed the cookies and reloaded the new laravel test project. I am unable to re-create the cookie issues.

I'm hoping for some help on how to debug this to determine where and why these cookies are being created.

As it stands, the cookie is created at any page view if it doesn't already exist so there are not certain circumstances that generate it.

bobbybouwmann's avatar

Do you have some third party package enabled that might be creating cookies?

ndekruijk's avatar

No idea if you ever solved this but I had to same problem and for some reason I had SESSION_DRIVER set to cookie instead of file.

In my search for an explanation I came across this post so I thought I would share my findings here, even if it's a year later...

2 likes
music_only's avatar

God bless you wherever you are! I had the same issue.

sev_pro's avatar

@ndekruijk solution doesn't work for me, as I need the SESSION_DRIVER to be set to cookie. But I also get those weirdly generated cookies (only when doing local development).

If anyone has a solution to this, it would be much appreciated.

JussiMannisto's avatar

If you use the cookie session driver, all session data is stored in cookies. What you're seeing is the encrypted session data. Nothing weird there.

But why would you need to store session data in cookies rather than on the server? For example, the file session driver requires no configuration and makes this problem go away. And for a more scalable solution you could look at database or Redis sessions.

https://laravel.com/docs/12.x/session#configuration

1 like
sev_pro's avatar

I have two applications and I want to share the session on my local environment. Running on localhost:8000 and localhost:8001.

Using the cookie session driver works. But using file does not work.

Snapey's avatar

there are also significant size limitations with using cookie session storage

1 like
sev_pro's avatar

Hmm... thanks. We'll move to the database session driver. As I understand that should work on either environment.

Please or to participate in this conversation.