Skip to:
Content
Pages
Categories
Search
Top
Bottom

so many secrets?


  • flywitness
    Member

    @flywitness

    BB_SECRET_KEY

    BB_SECRET_SALT

    (database) secret

    whats the difference? what needs to match what for wp integration?

    can we have some or one without the other? i’m confused.

    WP 2.6 -> BBP 1alpha

Viewing 3 replies - 1 through 3 (of 3 total)

  • cartmanffc
    Member

    @cartmanffc

    necessary for WP 2.6 -> BBP 1alpha:

    WordPress “auth” cookie key

    WordPress “secure auth” cookie key

    WordPress “logged in” cookie key


    flywitness
    Member

    @flywitness

    thanks for making the effort, but thats not what i asked.


    _ck_
    Participant

    @_ck_

    The cookies in bbPress 1.0 and WordPress 2.6 are based on recommendations from a security whitepaper by a top researcher.

    Half of the key used in the cookie is kept in the database and the other half of the key is kept in the configuration file (bb-config.php / wp-config.php)

    The idea is to make it harder for an attacker to compromise the system. They may gain file access but not db access or visa versa – therefore the other half is safe.

    When I say “half” it’s not literal – but essentially the secret keys are “salted” with the secret salt. “Salting” is a much more complex operation than needs to be explained here (see wikipedia).

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.
Skip to toolbar