Laravel documentation says
All of Laravel's encrypted values are signed using a message authentication code (MAC) so that their underlying value can not be modified once encrypted.
In practice it means that the payload is accompanied with a little hash value. It is not a secret of how this value is generated because Laravel is an open source product. The source code says this:
// Once we get the encrypted value we'll go ahead and base64_encode the input
// vector and create the MAC for the encrypted value so we can then verify
// its authenticity. Then, we'll JSON the data into the "payload" array.
$mac = $this->hash($iv = base64_encode($iv), $value);
I personally don't see the benefit of this MAC for Laravel. Why is it there?
I mean, if we already have public key that goes along with the message and the private key hidden somewhere and openssl_encrypt as a processor. How MAC can contribute to the security? Or does it contribute to something else?
as James K Polk said
A MAC uses the key, so an attacker cannot generate a correct one unless he has the key.
A MAC is needed to protect against intentional ciphertext modification.