[wp-trac] [WordPress Trac] #12159: Define random keys and salts during setup-config.php
WordPress Trac
wp-trac at lists.automattic.com
Sun Feb 7 09:44:45 UTC 2010
#12159: Define random keys and salts during setup-config.php
-------------------------+--------------------------------------------------
Reporter: nacin | Owner: ryan
Type: enhancement | Status: new
Priority: normal | Milestone: 3.0
Component: Security | Version:
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
Instead of simply linking to http://api.wordpress.org/secret-key/1.1/ in
wp-config-sample.php, we should fetch that during setup-config.php and
populate the key defines.
Defining keys after the fact generally causes cookie issues (see, for
example, #12142), plus, there's no reason this shouldn't be done
automatically.
I've attached a patch as an example. (In order to use http.php, we need
apply_filters() and get_bloginfo(). The patch also produces a notice due
to parse_url() -- again, just an example.)
This patch doesn't account for the three salts, which I think we should
define as well. We should create a 1.2 version of the API and include
those. (FWIW, the [http://api.wordpress.org/secret-key/1.1/wpmu/salt/ MU
API] includes salts but omits NONCE_KEY.)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12159>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list