DrQuincy Posted November 5, 2021 Share Posted November 5, 2021 I have created a brochureware template site that I can clone and put sites together more quickly. I have just copied it for the first time and I replaced the $config->userAuthSalt and $config->tableSalt values with a cryptographically secure hex token of the same length. I have the password reset module installed so reset the password and logged in no problem (there is only one user in the template). The site seems to work fine. I just wanted to check this was safe to do. It seems userAuthSalt is a secret salt for hashing the user passwords (in addition to the one built in to bcrypt) hence the need to change the password. Looking at the source it seems tableSalt is never used internally by PW anyway. Am I right in my assumptions? If so, I'm probably okay to change them as I have done — and actually having multiple sites with the same values is also not going to be much of an issue in most cases. Link to comment Share on other sites More sharing options...
szabesz Posted November 6, 2021 Share Posted November 6, 2021 On 11/5/2021 at 1:00 PM, DrQuincy said: Am I right in my assumptions? I think so. It is only used with passwords: https://processwire.com/talk/topic/6629-config-httphosts-and-passwords/?p=64888 Quoting Ryan: "That particular value is generated randomly when you first install ProcessWire. It is forever tied to the passwords as a secondary salt. It's not technically necessary to have it, and passwords are already blowfish'd, but I've always felt better having one part of the salt disconnected from the database itself. If that salt changes or is lost, then all the passwords are forever broken." 4 Link to comment Share on other sites More sharing options...
DrQuincy Posted November 8, 2021 Author Share Posted November 8, 2021 Great, thanks. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now