bbPress

Info

• 4 posts
• 3 voices
• Started 3 years ago by flywitness
• Latest reply from _ck_
• This topic is not resolved

Tags

• BB_SECRET_KEY
• BB_SECRET_SALT
• secret

• Posts in this topic

so many secrets?

1. • 
   • flywitness
   • Member

   • Posted 3 years ago #

   BB_SECRET_KEY

   BB_SECRET_SALT

   (database) secret

   whats the difference? what needs to match what for wp integration?
   can we have some or one without the other? i'm confused.

   WP 2.6 -> BBP 1alpha
2. • 
   • cartmanffc
   • Member

   • Posted 3 years ago #

   necessary for WP 2.6 -> BBP 1alpha:
   WordPress "auth" cookie key
   WordPress "secure auth" cookie key
   WordPress "logged in" cookie key
3. • 
   • flywitness
   • Member

   • Posted 3 years ago #

   thanks for making the effort, but thats not what i asked.
4. • 
   • _ck_
   • Moderator

   • Posted 3 years ago #

   The cookies in bbPress 1.0 and WordPress 2.6 are based on recommendations from a security whitepaper by a top researcher.

   Half of the key used in the cookie is kept in the database and the other half of the key is kept in the configuration file (bb-config.php / wp-config.php)

   The idea is to make it harder for an attacker to compromise the system. They may gain file access but not db access or visa versa - therefore the other half is safe.

   When I say "half" it's not literal - but essentially the secret keys are "salted" with the secret salt. "Salting" is a much more complex operation than needs to be explained here (see wikipedia).

5. You must log in to post.