In Laravel, the APP_KEY is a critical component used to encrypt sensitive data like sessions and cookies. It ensures that the encrypted information remains secure and tamper proof.
This key is stored in the .env file, and in earlier Laravel versions, changing it after the project had already started could cause serious issues such as being unable to decrypt previously encrypted data, which could log out all users or make some data inaccessible.
But starting from Laravel 11, a powerful feature was introduced: Key Rotation.
So how does it work?
You can now safely change your APP_KEY without breaking access to previously encrypted data.
Laravel 11 allows you to define previous keys using the APP_PREVIOUS_KEYS environment variable.
When decrypting data, Laravel tries the current APP_KEY first. If it fails, it checks the list of previous keys to ensure compatibility.
Code Example:
In your .env file:
APP_KEY=NEW_KEY_HERE
APP_PREVIOUS_KEYS=["OLD_KEY", "OLD_KEY2"]
Note: You can add as many previous keys as needed in the array.
This makes it possible to rotate keys regularly a security best practice without affecting active user sessions or encrypted data.
Summary:
Before Laravel 11: Changing APP_KEY meant users were logged out, and old encrypted data became unreadable.
With Laravel 11: You can rotate keys smoothly using APP_PREVIOUS_KEYS, keeping your app secure.
Top comments (0)