Remember me cookie cakephp 4 not working

I’m working with CakePHP 4.
Following the documentation, I set up ‘remember me’ cookie, when I pass login, I see in the browser the CookieAuth controller with correct values for username e password.
Point is that when I logout, I still see the cookie in my browser (it will expires in few days) but I expected username e password input text with precompiled value in the login form.
Is this the correct behaviour?
I tried to get these fields populated but incurred in many different errors related to cookie reading/writing e.g.
“Argument 1 passed to Cake\Http\Response::withCookie() must implement interface Cake\Http\Cookie\CookieInterface, string given”

This is my code:

  • in app_local.php:
    ‘Security’ => [
    ‘salt’ => env(‘SECURITY_SALT’, ‘string’, //here my random string
    -in Application.php
    $cookies = new EncryptedCookieMiddleware(
    and inside getAuthenticationService(ServerRequestInterface $request), after Session and before Form:

    $authenticationService->loadAuthenticator(‘Authentication.Cookie’, [
    ‘rememberMeField’ => ‘remember_me’,
    ‘fields’ => [
    ‘username’ => ‘email’,
    ‘password’ => ‘password’,
    ‘loginUrl’ => ‘/’,
    ‘expire’=> new DateTime(‘Thu, 31 Dec 20 15:00:00 +0000’)

  • in UsersController, login function
    public function login()
    $cookie = [‘email’=>’’, ‘password’=>’’, ‘remember_me’=>0];

          if ($this->request->getCookie('CookieAuth')) {
              $cookie = $this->request->getCookie('CookieAuth');
          // if remember_me
          if($this->request->getData('remember_me') == 1) {
             $this->response = $this->response->withCookie(new Cookie('CookieAuth'), $this->request->getData());
          else {
          // other code


<?= $this->Form->control('email', ['required' => true]) ?>
<?= $this->Form->control('password', ['required' => true]) ?> <!-- ,['value' => $cookie['password']] -->
<?= $this->Form->control('remember_me', ['type' => 'checkbox']);?> <?= $this->Form->submit(__('Login')); ?>

Any help would be really appreciated, thanks.

I’m not answering the question, sorry, just asking another one: are you actually storing their password in plain text in a cookie on their PC? In which case that is a very bad thing. It would even be bad if you were storing their salted password hash (as a hacker with enough of these, gleaned from your user’s cookies, could perform some decryption [i.e. brute force one password for plain text/encrypted text and use rainbow tables etc.]).

I would suggest you direct your users to Lastpass or some similar app designed to do this.

As for answering your question, I have no input there, sorry again!!

Thanks for the suggestion, it’s just an example running on my laptop for personal use :wink:

i tried it on version 4.x . It works fine


    'Security' => [
        'salt' => env('SECURITY_SALT', 'string'),  //here my random string
        'cookieKey' => env('SECURITY_COOKIE_KEY', 'string'),  //here my random string

Application.php | function middleware

->add(new EncryptedCookieMiddleware(

Application.php | function getAuthenticationService

$service->loadAuthenticator('Authentication.Cookie', [
            'fields' => $fields,
            'cookie' => [
                'name' => 'CookieAuth',
                'expires' => (new Time())->addDays(30),
            'loginUrl' => '/users/login',
<?= $this->Form->control('remember_me', ['type' => 'checkbox']);?>

Just a quick security question on that approach - is there any weakness in storing the salt in plain text on the client’s computer?

What approach are you referring to? I don’t see any of the samples above storing the salt in the cookie?

Generally it depends on what value specifically you are referring to, and how it is actually used. For example some encryption/hashing algorithms use random, dynamically generated salts and add them to the encrypted/hashed data, having those salts exposed is OK, their purpose is to protect against for example dictionary or rainbow table attacks.

Making say CakePHP’s Security.salt value public on the other hand would be a really, really bad idea, as it is a unique value this is even used as a key/secret in various places! Exposing this is like exposing a master password.

Sorry I misread.
Wouldn’t the cookie also need to store the username?
May not hurt to also put in some browser + PC identifier so if the cookie gets stolen it won’t grant a free pass to someone else.

Again I’m not sure what you’re referring to? The code of the original question? The sample posted by @quapro83? The general concept?