Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Tighten.co Blog:
APP_KEY And You
Sep 26, 2018 @ 14:49:21

On the Tighten.co blog there's a tutorial posted from Jake Bathman for the Laravel users out there covering the APP_KEY value - what it is and how its used in your application.

A recent Laravel security update fixed an issue with how APP_KEY is used. For someone to exploit this issue, they'd need to have access to the production APP_KEY. The simplest fix for the exploit is to rotate (change) your APP_KEY. That led some of us at Tighten to ask the question: What does the app key do? What is involved in rotating it? What are best practices for managing these keys for our Laravel applications?

In this post, we'll talk about what APP_KEY does and doesn't do, some common misconceptions about its relationship to user password hashing, and the simple steps to changing your APP_KEY safely without losing access to your data.

Before diving in too deep, he reminds the reader about a security release Laravel recently made to correct an issue with APP_KEY handling (and the recommendation to rotate it). It then moves on to talk about what the setting is, how to generate a new one and its use in cookies. It also tries to dispel myths around:

  • its use for password hashing (it's not)
  • where it is used for encryption
  • rotating the key
  • multi-server use

It also makes a recommendation of the process to use for currently encrypted data that was created using the previous APP_KEY value and how to re-encrypt.

tagged: appkey laravel tutorial myth encryption hashing

Link: https://tighten.co/blog/app-key-and-you

Laravel News:
Security Release - Laravel v5.6.30 and v5.5.42 have been released
Aug 09, 2018 @ 14:34:59

On the Laravel News site they've posted an announcement recommending all Laravel 5.6.x and 5.5.x users upgrade to the latest release (5.6.30 & 5.5.42) due to a security issue dealing with the APP_KEY value.

Laravel 5.6.30 and Laravel 5.5.42 have both been released to fix a security issue and is recommended that all users upgrade as soon as possible.

This update also includes changes to cookie encryption and serialization logic. In addition to the upgrade, they also recommend rotating the key if you believe any malicious user (or former developer/employee) had access to it. The upgrade guide has the information you need to make the update to your application.

tagged: laravel security release appkey cookie update framework

Link: https://laravel-news.com/laravel-5-6-30


Trending Topics: