Generating random string at install

[Alexander Obuhovich]

I propose to generate random string (like WordPress does) during In-Portal installation and then potentially use it in various security-related places, like password hashing (along with existing hashing system of course) and such.

This would ensure that even 2 In-Portal installations having same users (with same passwords) registered would still have different hashed passwords. Maybe we can find other interesting uses of this new random string in time.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

[Dmitry A.]

Hi Alex,

Yes, I think it's a great idea - let's have this for 5.2.1(quite minor add-on) or 5.3.0?

Your thoughts?

DA

[Alexander Obuhovich]

Why not.

I've found an interesting article about mistrusting cookie values submitted by browser to web server - http://phpadvent.org/2011/bake-cookies-like-a-chef-by-michael-nitschinger.

That article explains in details how we can encode/hash cookie values to make sure that In-Portal did set these cookies and they were not faked by user, who wants to hack website.

We can use random string as password used to hash/encode cookies.

[Dmitry A.]

Interesting article you found Alex!

Yes, I think we should move in this direction too. Let's start with creating a task for Random Secret Key during the installation.

DA

[Alexander Obuhovich]

Task for random string generation: http://tracker.in-portal.org/view.php?id=1435

Task for cookie encryption: http://tracker.in-portal.org/view.php?id=1436

[Alexander Obuhovich]

Here are patches for both tasks (provided by Erik), ready for testing.