Remember me CookieAuth decryption issues

I have followed the documentation to implement the remember_me token.

When I login for the first time, I can see that the CookieAuth cookie is created. But when I return to the page afterwards, the authentication result is FAILURE_CREDENTIALS_INVALID. The result originates from CookieAuthenticator::authenticate.

When I look into it a bit more, I can see that the reason for the failed result is that the $token (which I believe should be the decrypted CookieAuth) is an empty string. When I follow the decryption of CookieAuth through EncryptedCookieMiddleware.php, I end up at OpenSsl::decrypt. It is at this point that decrypting the token doesn’t seem to work. All the parameters for openssl_decrypt() are filled, but it results in an empty string.

I am unsure as to why there are problems with decrypting the cookie.

As a sidenote, I generated the 32 byte cookieKey at Encryption Key Generator

Sorry but I am not able to reproduce that problem.

I have added

->add(new EncryptedCookieMiddleware(

inside my src/Application.php middleware() method between the RoutingMiddleware and the BodyParserMiddleware

My CookieAuth value looks like this after logging in


which is encrypted as it should be.

just making sure: 32 byte cookieKey for the encryption is 256-bit “Security-Level” on your generator site.
So it should be something like


Thank you for your reply Kevin. I had added the EncryptedCookieMiddleware at the end of my middlewarequeue, just before the AuthenticationMiddleware. I tried changing the order around by placing EncryptedCookieMiddleware between the RoutingMiddleware and the BodyParserMiddleware. Sadly, this did not solve my issue. I still get the same result when going to my application with CookieAuth present after having logged in successfully first.

I’ll continue trying to figure out what is going wrong here.

well the EncryptedCookieMiddleware needs to be placed BEFORE the AuthenticationMiddleware.

Otherwise the AuthenticationMiddleware would try to read encrypted cookie data which of course won’t work.

In both cases that I tested with the EncryptedCookieMiddleware was placed before the AuthenticationMiddleware, so that isn’t the issue.

Can’t really tell you what else may be wrong from a basic app perspective.

You could try to get a step-debugger running in your local app and step through the code to see where its going wrong or where another plugin or whatever is messing with your app.

Okay, so I had a colleague look at this issue with me and we figured something out. It turns out that it actually does work. Yesterday, I logged into the application with the remember me option ticked. Today, it logged me in automatically. However, it only did that because I navigated directly to the application’s dashboard instead of the login page.

So here’s where my confusion was. I expected the application to log me in automatically and redirect me to the dashboard if I navigated to the login page. This does not happen. Navigating to the login page seems to invalidate the existing CookieAuth.

this should automatically happen via

    $result = $this->Authentication->getResult();
    // regardless of POST or GET, redirect if user is logged in
    if ($result && $result->isValid()) {
        // redirect to /articles after login success
        $redirect = $this->request->getQuery('redirect', [
            'controller' => 'Articles',
            'action' => 'index',

        return $this->redirect($redirect);

inside your login action.
see CMS Tutorial - Authentication - 4.x

You have to of course adjust the redirect controller and action to what you need.