I recently upgraded my OctoberCMS instance from 459 to 464 and had no issues on my local machine. However, today I deployed to production and I'm getting a lot of errors like this one (basically on every GET request):

2020/01/18 21:00:51 [error] 19992#19992: *130 FastCGI sent in stderr: "
PHP message: PHP Notice:  unserialize(): Error at offset 0 of 100 bytes in /var/www/example.com/public/vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php on line 149
PHP message: PHP Notice:  unserialize(): Error at offset 0 of 40 bytes in /var/www/example.com/public/vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php on line 149
PHP message: PHP Notice:  unserialize(): Error at offset 0 of 66 bytes in /var/www/example.com/public/vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php on line 149" while reading response header from upstream, client: 0.0.0.0, server: example.com, request: "GET /backend HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "example.com", referrer: "https://example.com/backend/backend/auth/signin"

Additionally I'm no longer able to login into the backend.

After some research I found there was a change with cookie serialization recently: https://github.com/octobercms/library/commit/09e859a13ee5663ee6cb6f0c02a4a97e09deefa7#diff-056b9862465e028cb597e2d0baf41b70

After adding my cookies to the new "unencryptedCookies" config key everything started working again, but this doesn't look like a permanent solution.

Is there a way to avoid this? I need the cookies to be encrypted.

Any kind of help would be much appreciated!

This occurs due to a one-way function in the upgrade. If you upgrade to the latest October CMS, sign in and generate a cookie, then downgrade to an older version with the new cookie, it throws an error because it isn't expecting the new format. The newer version supports both formats, thus, the error should never happen

The workaround solution is to clear your cookies

This appears to still be a problem for me while upgrading to 469. I've tried clearing cookies, trying browsers I don't use (Edge on the Mac!), disabling plugins, creating new admin users. No dice.

The symptoms are always the same. If you complete the backend login form with "bad" credentials, you get an error message. If your credentials are good, you get silent failure, and the login box just appears again.

If unserialize() triggered an exception in PHP, it would work, because the try / catch in the October\Rain\Cookie\Middleware\EncryptCookies->decryptCookie() would attempt again without unseralization. In fact, if changing line 35 of October\Rain\Cookie\Middleware\EncryptCookies from:

$result = $this->encrypter->decrypt($cookie, true);

to

$result = $this->encrypter->decrypt($cookie, false);

results in successful backend login, although who knows what side effects it has.

Better solution would be to suppress errors on deserialize() in Illuminate\Encryption\Encrypter->decrypt(), like this:

public function decrypt($payload, $unserialize = true)
{
    $payload = $this->getJsonPayload($payload);

    $iv = base64_decode($payload['iv']);

    // Here we will decrypt the value. If we are able to successfully decrypt it
    // we will then unserialize it and return it out to the caller. If we are
    // unable to decrypt this value we will throw out an exception message.
    $decrypted = \openssl_decrypt(
        $payload['value'], $this->cipher, $this->key, 0, $iv
    );

    if ($decrypted === false) {
        throw new DecryptException('Could not decrypt the data.');
    }
    $return = $unserialize ? @unserialize($decrypted) : $decrypted;
    if($unserialize && $return === false) {
        throw new DecryptException('Could not unserialize the data.');
    }
    return $return;
}

If there's a better solution that would allow me to upgrade a production site without a hot fix, I'm all ears.

thanks, Lucas

I now realize that this is in fact Laravel code, which complicates things. If anyone has any insights, please share.