[Cakephp 4] Error on logout


I have an error message when a user logout. However, everythings looks good : the user is correctly disconnected and redirected

Error: Cake\Http\Middleware\EncryptedCookieMiddleware::__construct(): Argument #2 ($key) must be of type string, null given, called in /var/www/html/mywebsite/src/Application.php on line 84

My Application.php


 * CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
 * Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
 * Licensed under The MIT License
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 * @copyright Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
 * @link      https://cakephp.org CakePHP(tm) Project
 * @since     3.3.0
 * @license   https://opensource.org/licenses/mit-license.php MIT License
namespace App;

use Cake\Core\Configure;
use Cake\Core\Exception\MissingPluginException;
use Cake\Error\Middleware\ErrorHandlerMiddleware;
use Cake\Http\BaseApplication;
use Cake\Http\MiddlewareQueue;
use Cake\Routing\Middleware\AssetMiddleware;
use Cake\Routing\Middleware\RoutingMiddleware;
use Cake\Http\Middleware\EncryptedCookieMiddleware;
use Authentication\AuthenticationService;
use Authentication\AuthenticationServiceInterface;
use Authentication\AuthenticationServiceProviderInterface;
use Authentication\Identifier\IdentifierInterface;
use Cake\Http\Middleware\HttpsEnforcerMiddleware;
use Authentication\Middleware\AuthenticationMiddleware;
use Cake\Routing\Router;
use Psr\Http\Message\ServerRequestInterface;
use Cake\I18n\FrozenTime;
 * Application setup class.
 * This defines the bootstrapping logic and middleware layers you
 * want to use in your application.
class Application extends BaseApplication implements AuthenticationServiceProviderInterface
     * Load all the application configuration and bootstrap logic.
     * @return void
    public function bootstrap(): void
        // Call parent to load bootstrap from files.

        if (PHP_SAPI === 'cli') {

         * Only try to load DebugKit in development mode
         * Debug Kit should not be installed on a production system
        if (Configure::read('debug')) {

        // Load more plugins here


     * Setup the middleware queue your application will use.
     * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
     * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
    public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue

            // Catch any exceptions in the lower layers,
            // and make an error page/response
            ->add(new ErrorHandlerMiddleware(Configure::read('Error')))

            // Handle plugin/theme assets like CakePHP normally does.
            ->add(new AssetMiddleware([
                'cacheTime' => Configure::read('Asset.cacheTime'),

            // Add routing middleware.
            // If you have a large number of routes connected, turning on routes
            // caching in production could improve performance. For that when
            // creating the middleware instance specify the cache config name by
            // using it's second constructor argument:
            // `new RoutingMiddleware($this, '_cake_routes_')`
            ->add(new RoutingMiddleware($this))

            ->add(new EncryptedCookieMiddleware(['CookieAuth'],Configure::read('Security.cookieKey')))

            // disableOnDebug' => true -> disable in local environnement

            ->add(new HttpsEnforcerMiddleware(['disableOnDebug' => true])) // 'redirect' => true/false (if true 'statusCode' => 302), 'headers' => ['X-Https-Upgrade' => 1]

            ->add(new AuthenticationMiddleware($this));

        return $middlewareQueue;

     * Bootrapping for CLI application.
     * That is when running commands.
     * @return void
    protected function bootstrapCli(): void
        try {
        } catch (MissingPluginException $e) {
            // Do not halt if the plugin is missing


        // Load more plugins here

 * Returns a service provider instance.
 * @param \Psr\Http\Message\ServerRequestInterface $request Request
 * @return \Authentication\AuthenticationServiceInterface
 public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
  $service = new AuthenticationService();

  // adresse de redirection en cas d'accès à uné méthode en étant non authentifié

      'unauthenticatedRedirect' => '/twittux/login',
      'queryParam' => 'redirect',

  // Load identifiers
  $service->loadIdentifier('Authentication.Password', [
      'fields' => [
        IdentifierInterface::CREDENTIAL_USERNAME => 'username',
        IdentifierInterface::CREDENTIAL_PASSWORD => 'password',

  $now = FrozenTime::now();
  $now = $now->modify('+365 days');

  // Load the authenticators

  $service->loadAuthenticator('Authentication.Cookie', [
      'fields' =>
        IdentifierInterface::CREDENTIAL_USERNAME => 'username',
        IdentifierInterface::CREDENTIAL_PASSWORD => 'password',
      'httponly' => true, // empếche l'accès aux cookies en Javascript
      'expires' => $now,
      'secure' => true, // cookie crée uniquement dans le cas d'une connection https


  return $service;


My Logout action

      $result = $this->Authentication->getResult();

      if ($result->isValid()) {

        $this->Flash->success('Vous avez été déconnecté.');


        //redirection vers l'accueuil du site

        return $this->redirect('/');

What value does Configure::read('Security.cookieKey') have in it?

This one :

'Security' => [
        'salt' => env('SECURITY_SALT', '274e66b1047c3beaa575c0f02342262094212d5541a4865bccb24eb1c8540e17'),
        'cookieKey' => env('SECURITY_COOKIE_KEY', '327e66b1047c3beza575c0f023422615412d5541a4865bccd24eb1c8540e17'),

since you are using the env() function you should check that the $_ENV['SECURITY_COOKIE_KEY'] superglobal actually has the value you expect.

If not then you would have to check how you set your environment variables to be accessible for PHP as well.

If you instead use the config/.env file make sure you have enabled app/bootstrap.php at 4.x · cakephp/app · GitHub

I’d go straight to the end result, and just log or debug the return value of Configure::read('Security.cookieKey') at the top of the middleware function. I’m betting it’s not what you expect. Then you figure out why it’s not.

Hello and Thanks to @KevinPfeifer activating line 64 in the bootstrap file solved my problem, thanks to you