来自laravel docs
Application Key The next thing you should do after installing Laravel
is set your application key to a random string. If you installed
Laravel via Composer or the Laravel installer, this key has already
been set for you by the php artisan key:generate command.
Typically, this string should be 32 characters long. The key can be
set in the .env environment file. If you have not renamed the
.env.example file to .env, you should do that now. If the application
key is not set, your user sessions and other encrypted data will not
be secure!
我对应用程序密钥的了解是:如果未设置应用程序密钥,通常我会得到一个例外.
>这个随机字符串如何帮助保护会话?
>此应用程序密钥的其他用途是什么?
>如果我在任何地方使用相同的应用程序密钥(如登台,生产等),是否会降低应用程序的安全性?
>这个密钥有哪些最佳实践
解决方法:
public function register()
{
$this->app->singleton('encrypter', function ($app) {
$config = $app->make('config')->get('app');
// If the key starts with "base64:", we will need to decode the key before handing
// it off to the encrypter. Keys may be base-64 encoded for presentation and we
// want to make sure to convert them back to the raw bytes before encrypting.
if (Str::startsWith($key = $this->key($config), 'base64:')) {
$key = base64_decode(substr($key, 7));
}
return new Encrypter($key, $config['cipher']);
});
}
因此,使用加密的每个组件:会话,加密(用户范围),csrf令牌都可以从app_key中受益.
其余的问题可以通过“如何加密”(AES)工作,只需打开Encrypter.php,并确认Laravel使用AES并将结果编码为base64来回答.
通过使用修补程序,我们可以看到它是如何完成的:
➜ laravel git:(staging) ✗ art tinker
Psy Shell v0.8.17 (PHP 7.1.14 — cli) by Justin Hileman
>>> encrypt('Hello World!')
=> "eyJpdiI6ImgzK08zSDQyMUE1T1NMVThERjQzdEE9PSIsInZhbHVlIjoiYzlZTk1td0JJZGtrS2luMlo0QzdGcVpKdTEzTWsxeFB6ME5pT1NmaGlQaz0iLCJtYWMiOiI3YTAzY2IxZjBiM2IyNDZiYzljZGJjNTczYzA3MGRjN2U3ZmFkMTVmMWRhMjcwMTRlODk5YTg5ZmM2YjBjMGNlIn0="
Note: I used this key: base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ= to encrypt Hello World!
解码后得到的结果(您可以尝试使用会话解码自己的cookie):
{"iv":"h3+O3H421A5OSLU8DF43tA==","value":"c9YNMmwBIdkkKin2Z4C7FqZJu13Mk1xPz0NiOSfhiPk=","mac":"7a03cb1f0b3b246bc9cdbc573c070dc7e7fad15f1da27014e899a89fc6b0c0ce"}
要理解上面的json(iv,value,mac)你需要了解AES:
应用程序密钥的最佳实践
>仅将其存储在.env文件中
>不要将它存储在app.php中,事实上在任何git跟踪文件中
>除非你真的想要,否则不要改变它
>会话/ cookie无效(用户注销)
>无效密码重置令牌
>使signed urls无效
Obvious Note: Changing application key has no effect on hashed passwords since hashing algorithms do not require encryption keys.
标签:php,laravel
来源: https://codeday.me/bug/20190929/1830369.html
471
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
