What is the purpose of cookie encryption in LinkAce?

[chrissawyerfan4]

https://github.com/Kovah/LinkAce/blob/main/app/Http/Kernel.php#L33

    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,

When removing this line, I see that a random session and anti-csrf token is set, which are opaque to the user anyhow. What is the purpose of adding authenticated encryption on top? Is there functionality where secret or authenticated data is set as a cookie that I have not yet uncovered?

[Kovah]

It's actually just the default for the framework and there's no reason to change it. It is probably needed when actual session data is stored in cookies, but that is not the case for LinkAce. Filesystem or Redis are used for user sessions.

[chrissawyerfan4]

Hmm. To me, unnecessary encryption seems like a risk of some bug or other when all that's in the session is a dead simple random token that is much harder to get wrong (attacks surface wise). Plus of course the minor efficiency hit in doing the operations and sending the big cookie back and forth, but at a self-hosted scale that doesn't matter. Anyway I can see your point of view, no need to mess with something that works I suppose, and it answers the question so thanks for the reply!