Assume that you have a cookie string like this:
Q2FrZQ==.AAAAAAAAAAAABBBBBBBBBBBBBCCCCCCCCCCCCCCDDDDDDDDDDDDD
How can you decrypt this in cakephp 3 by using AES ?
It seems like Cake\Utility\Security::decrypt($cipher, $key, $hmacSalt = null) does it:
http://book.cakephp.org/3.0/en/core-libraries/security.html#Cake\Utility\Security::decrypt
But what about the parameters ? hmacSalt is application's salt value, but what's the key value in second argument ?
Just take a look at the source of the cookie component, the $hmacSalt argument is not being used,
https://github.com/cakephp/.../Controller/Component/CookieComponent.php#L437
and the $key argument is fed with the components key config option value, which holds
Encryption key used when encrypted cookies are enabled. Defaults to Security.salt.
So unless you have manually configured the cookie components key option, all you'd need for decrypting an AES encrypted cookie value, should be
Security::decrypt($value, Security::salt());
where $value is the properly extracted and decoded, raw encrypted data as the cookie component would pass it:
$prefix = 'Q2FrZQ==.';
$value = base64_decode(substr($value, strlen($prefix)));
https://github.com/cakephp/.../Controller/Component/CookieComponent.php#L431-L432