Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

skater's avatar

How to capture cookies with request() when two cookies have same name

Hi: We have a situation that user can have two cookies with the same name and both are sent in certain requests. Because of a migration, some users have a cookie decrypted and other encrypted. Same name. Same "value".

This is not the point ... we can not fix that ... but we receive the request incorrectly in the "request()" method.

Investigating I noticed that in some point the cookies are "deleted". I don't know which one exactly and WHY (this is the question).

Let's take an example of a CURL method captured in the "Inspect Chrome console" simulating the call. In this case Chrome is sending these two cookies values, one of them is encrypted and other is open (this is the duality problem commented at the beginning, but it's not the problem here).

curl 'https://dev.mysite.com/test' -H 'cookie: hash=746895894fbf236dadc011fb2533c151; hash=eyJpdiI6ImlYMVFGM0[.......]sInRhZyI6IiJ9;'

When I print this (this is the furthest I reached investigating):

request()->capture()->cookies
- or -
Request::capture()->cookies

the output is

 Symfony\Component\HttpFoundation\InputBag Object
(
    [parameters:protected] => Array
        (
            [hash] => 746895894fbf236dadc011fb2533c151
        )

)

But when I print

app('request')->cookies      
- or - 
request()->cookies

the output is:

Symfony\Component\HttpFoundation\InputBag Object
(
    [parameters:protected] => Array
        (
            [hash] => 
        )

)

So, in some point, when Laravel receives two cookies, they are "dissapeared" or "destroyed" themselves ...

As I said ... I was investigating the Laravel core code, Symphony Foundation Request and Illuminate Request files, and I found that the read of the headers and cookies is correct.

The Illuminate\Http\Request capture function, returns the cookie correctly. The Symphony function reads the two cookies and here it took one of them (I don't know if it takes the encrypted one, or the first one, or whatever ... but it takes one and with a value).

But when this is sent to the request() method, they are destroyed.

Any ideas ?

UPDATE:

request()->cookies prints the decrypted cookie values ... when it receives two cookies, same name, with values opened and decrypted ... it fails in some point and set the value as empty...

0 likes
1 reply
skater's avatar

A solution is to read the cookie this way:

echo request()->cookie('hash', Request::capture()->cookies->get('hash'));

if in the request is coming just one (the encrypted one), it will be read correctly by request() if in the request are coming two (encrypted and open), the request() will output null, so the Request:capture() will give the value

That's my "fix"

Please or to participate in this conversation.