What is stored in laravel’s default cookies/sessions?

Question

Per default laravel creates 2 cookies: XSRF-TOKEN and my_app_session.

I’ve base64_decoded it and there is an array with the keys iv, value and mac in it.

Is there any personal data stored in those cookies? Is it conform with GDPR?

question from:https://stackoverflow.com/questions/65857622/what-is-stored-in-laravel-s-default-cookies-sessions

Answer 1

The cookies of Laravel do comply with GDPR, as no personal information is stored.

XSRF-TOKEN

That information is used to protect your site against Cross Site Request Forgery. A purely technical protection mechanism.

my_app_session

This hold information about the current session of the logged in user of your application. It is necessary to track it for again, purely technical reasons.

I can assure you that no personal information, that could be not compliant with GDPR are stored.

Storing data of users, might it be personal or not, is allowed if you can explain a legitimate interest in storing these. This is also explained in detail on the GDPR site

As these two tokens are created even in cmopletely new Laravel applications where no user data is present/stored, you can answer the question yourself, if any GDPR non-compliant data is stored ;-)