Generating random string at install

8 views
Skip to first unread message

Alexander Obuhovich

unread,
Jul 27, 2012, 7:29:47 AM7/27/12
to Development In-Portal
I propose to generate random string (like WordPress does) during In-Portal installation and then potentially use it in various security-related places, like password hashing (along with existing hashing system of course) and such.

This would ensure that even 2 In-Portal installations having same users (with same passwords) registered would still have different hashed passwords. Maybe we can find other interesting uses of this new random string in time.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

Dmitry A.

unread,
Jul 27, 2012, 5:48:55 PM7/27/12
to in-por...@googlegroups.com
Hi Alex,

Yes, I think it's a great idea - let's have this for 5.2.1(quite minor add-on) or 5.3.0?

Your thoughts?

DA

Alexander Obuhovich

unread,
Aug 6, 2012, 10:58:06 AM8/6/12
to in-por...@googlegroups.com
Why not.

I've found an interesting article about mistrusting cookie values submitted by browser to web server - http://phpadvent.org/2011/bake-cookies-like-a-chef-by-michael-nitschinger.
That article explains in details how we can encode/hash cookie values to make sure that In-Portal did set these cookies and they were not faked by user, who wants to hack website.
We can use random string as password used to hash/encode cookies.

Dmitry A.

unread,
Aug 6, 2012, 11:21:21 AM8/6/12
to in-por...@googlegroups.com
Interesting article you found Alex!

Yes, I think we should move in this direction too. Let's start with creating a task for Random Secret Key during the installation.


DA

Alexander Obuhovich

unread,
Nov 5, 2012, 12:24:34 PM11/5/12
to Development In-Portal
Task for random string generation: http://tracker.in-portal.org/view.php?id=1435

Alexander Obuhovich

unread,
Dec 12, 2012, 6:35:42 AM12/12/12
to Development In-Portal
Here are patches for both tasks (provided by Erik), ready for testing.
encrypt_cookie_1436_v4.patch
random_string_configuration_1435_v4.patch
Reply all
Reply to author
Forward
0 new messages