Jump to content

Changing $config->userAuthSalt and $config->tableSalt values


DrQuincy
 Share

Recommended Posts

I have created a brochureware template site that I can clone and put sites together more quickly.

I have just copied it for the first time and I replaced the $config->userAuthSalt and $config->tableSalt values with a cryptographically secure hex token of the same length. I have the password reset module installed so reset the password and logged in no problem (there is only one user in the template).

The site seems to work fine. I just wanted to check this was safe to do.

It seems userAuthSalt is a secret salt for hashing the user passwords (in addition to the one built in to bcrypt) hence the need to change the password. Looking at the source it seems tableSalt is never used internally by PW anyway.

Am I right in my assumptions? If so, I'm probably okay to change them as I have done — and actually having multiple sites with the same values is also not going to be much of an issue in most cases.

Link to comment
Share on other sites

On 11/5/2021 at 1:00 PM, DrQuincy said:

Am I right in my assumptions?

I think so. It is only used with passwords: https://processwire.com/talk/topic/6629-config-httphosts-and-passwords/?p=64888

Quoting Ryan: "That particular value is generated randomly when you first install ProcessWire. It is forever tied to the passwords as a secondary salt. It's not technically necessary to have it, and passwords are already blowfish'd, but I've always felt better having one part of the salt disconnected from the database itself. If that salt changes or is lost, then all the passwords are forever broken."

 

  • Like 4
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...