Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

EventFellows's avatar

WHY are cookies not encrypted on api routes by default? Any reason to be aware of?

Laravel documentation says that laravel cookies are always encrypted. (https://laravel.com/docs/5.3/responses#cookies-and-encryption)

I realized that on the spark setup the middleware that does EncryptCookies is only part of the web middleware group and not on the api middleware.

Is there a reason for that?

Background of question: when using cookies in a mixed setup with api calls and web routes reading cookies causes problems. Reading a value from an encrypted cookie via api request returns null and vice versa.

0 likes
2 replies
mkarnicki's avatar

Maybe because API's don't (usually? :D) make use of cookies, so encryption (or not) doesn't apply? You'd probably use some API token authentication instead.

Please or to participate in this conversation.