Panel still shows “cookie signing key has not been changed” despite correctly set cookie.key option (Kirby 5.4.4)
Setup
- Kirby version: 5.4.4 (Kirby Basic, valid license)
- PHP: 8.4.12
- Server: Apache (hosted at dogado)
- Plain PHP setup (no Composer, classic
kirbyfolder)
Problem
In the Panel under System → Security, the following warning is permanently displayed:
The cookie signing key has not been changed from its default value
This happens even though I set a custom value for the cookie key in config.php, following the security guide docs. The content.salt warning correctly disappeared after the same approach — only the cookie key warning remains.
What I’ve already tried / checked
1. First attempt — option named exactly as worded in the docs:
"Kirby\Http\Cookie::\$key" => "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
→ Warning remained.
2. Checked the Kirby source code (src/Http/Cookie.php, hmac() method):
protected static function hmac(string $value): string
{
// prefer the option if it was set, otherwise use the value
// set directly to this class (for backwards-compatibility)
// or fall back to the fixed default set directly with the prop
$key = App::instance(lazy: true)?->option('cookie.key') ?: static::$key;
return hash_hmac('sha1', $value, $key);
}
This shows that the actual option key is cookie.key, not Kirby\Http\Cookie::$key (the latter appears to just be the docs referencing the PHP class name, not an actual config array key).
3. Second attempt — corrected option:
"cookie.key" => "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
→ Warning in the Panel is still showing.
Verification via debug script
To rule out another config file (e.g. host-specific) overriding something, I placed a small script right next to index.php that boots Kirby normally and outputs the active values:
require __DIR__ . '/kirby/bootstrap.php';
$kirby = new Kirby();
$host = $kirby->environment()->host();
$cookieKey = \Kirby\Http\Cookie::$key;
$cookieKeyOption = $kirby->option('cookie.key');
Output:
Detected hostname: example.com
Expected host config path: .../config/config.example.com.php
This file exists: no
Active Cookie::$key: KirbyHttpCookieKey <- default!
Option 'cookie.key': xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Active content.salt: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The odd part: the cookie.key option comes through correctly with my value ($kirby->option('cookie.key') returns the right string). Yet \Kirby\Http\Cookie::$key still shows the default KirbyHttpCookieKey, and the Panel keeps showing the warning accordingly.
It looks to me as if the static property Cookie::$key is no longer (or never was) automatically populated from the cookie.key option, or as if the Panel’s security check compares directly against Cookie::$key === 'KirbyHttpCookieKey', while hmac() itself correctly pulls from the option at runtime. If that’s the case, this would be an inconsistency between the actual cookie signing (which presumably works correctly with my value) and the Panel’s warning display itself.
Questions for you
- Is
cookie.keyactually the correct/only way to set this value, or doesKirby\Http\Cookie::$keyadditionally need to be set directly as a static property, e.g. via a bootstrap hook /readycallback? - If the latter: what’s the correct syntax for this in
config.php? The security guide uses the class name directly as the example option key, which suggests (to me, and probably others) that a simple array entry should be sufficient. - Does the Panel security warning possibly check the wrong thing (static property instead of option), causing it to fire even when the signing itself is already working correctly?
Thanks for your help — I just want to make sure the cookie signing is actually using my custom value, rather than just making the warning disappear without the underlying protection actually being in effect.