Signing key in the README doesn't have enough entropy
Closed this issue · 7 comments
I've got a pull request open on a League Package which that adds a vendor binary to the package for generating a secure key.
I'm wondering whether it's worth splitting this up to be it's own package that can be used on a global composer install?
I've made a tool for doing this, not sure if you want me to create a pull request for including it: https://github.com/AndrewCarterUK/CryptoKey
@AndrewCarterUK while this is true, it is documented that the keys should be generated properly.
This package is not supposed to take on that bit, but I'd gladly merge a PR that links to some more clear and complete docs about key generation.
Or are you suggesting to add a ::fromAutoGeneratedKey()
?
I'm just suggesting that it's made clear to users that mashing something such as:
$app->pipe(\PSR7Session\Http\SessionMiddleware::fromSymmetricKeyDefaults(
's3ssionp4ssword',
1200 // 20 minutes
));
Isn't secure enough for this purpose.
At the moment it looks a little bit like a place to type a password rather than something to fill with lots of bits straight out of a CSPRNG.
Ah yes. This is made clear in the docs, but feel free to add a link and a
warning also to the README
On Dec 14, 2015 12:42 PM, "Andrew Carter" notifications@github.com wrote:
I'm just suggesting that it's made clear to users that mashing something
such as:$app->pipe(\PSR7Session\Http\SessionMiddleware::fromSymmetricKeyDefaults( 's3ssionp4ssword', 1200 // 20 minutes));
Isn't secure enough for this purpose.
At the moment it looks a little bit like a place to type a password rather
than something to fill with lots of bits straight out of a CSPRNG.—
Reply to this email directly or view it on GitHub
#34 (comment)
.
Closed by #36