Change cipher in Laravel encryption

Yes you can do so. The only "built in" side effect should be that your users get logged out.

I say "built in" because if you have something else using that encryption key (running crypt/decrypt on data in your db, api/auth tokens, etc) then you'd have to figure out how to migrate those as well.

I just tried it in a running application, and at least it throws Exceptions for users that already have Cookies/Sessions and when you are using 'encrypt' => true in config/sessions.php (which is disabled by default).

ErrorException in Encrypter.php line 101: openssl_decrypt(): IV passed is 32 bytes long which is longer than the 16 expected by selected cipher, truncating

Edit:This can be fixed by editing app/Http/Middleware/EncryptCookies.php and add this function:

protected function decrypt(Request $request){    foreach ($request->cookies as $key => $c) {        if ($this->isDisabled($key)) {            continue;        }        try {            $request->cookies->set($key, $this->decryptCookie($c));        } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {            $request->cookies->set($key, null);        } catch (\ErrorException $e) {            $request->cookies->set($key, null);        }    }    return $request;}

This will remove the cookies that cannot be decoded, so basically it logs the user out.

It is totally safe to change from MCRYPT_RIJNDAEL_128 to 'AES-256-CBC'

How I tested it?

First I encrypted text with MCRYPT_RIJNDAEL_128After that, I changed cipher to 'AES-256-CBC' in config/app.phpThird I decrypted encrypted string from the first stepI also tested that logged in users stay logged after cipher change

So it is safe to say that changing cipher won't affect you.

Note, you can get "Warning: Use of undefined constant MCRYPT_RIJNDAEL_128" when updating to PHP 7.1 or PHP 7.2 version. That's when I saw that I needed to change cipher.