来自laravel 文档
from laravel docs
应用程序密钥安装Laravel之后应该做的下一步 将您的应用程序密钥设置为随机字符串.如果您安装了 Laravel通过Composer或Laravel安装程序,此密钥已经 由php artisan key:generate命令为您设置.
Application Key The next thing you should do after installing Laravel is set your application key to a random string. If you installed Laravel via Composer or the Laravel installer, this key has already been set for you by the php artisan key:generate command.
通常,此字符串应为32个字符长.关键可以是 在.env环境文件中设置.如果您尚未重命名 .env.example文件转换为.env,您现在应该这样做. 如果申请 密钥未设置,您的用户会话和其他加密数据将不会被设置 保持安全!
Typically, this string should be 32 characters long. The key can be set in the .env environment file. If you have not renamed the .env.example file to .env, you should do that now. If the application key is not set, your user sessions and other encrypted data will not be secure!
我对应用程序密钥的了解是:如果未设置应用程序密钥,通常我会得到一个例外.
What I know about application key is: If the application key is not set, generally I do get an exception.
- 此随机字符串如何帮助确保会话安全?
- 此应用程序密钥的其他用途是什么?
- 如果我到处都使用相同的应用程序密钥(例如登台,生产等),是否会使应用程序的安全性降低?
- 此密钥的最佳做法是什么
我们可以在 EncryptionServiceProvider :
As we can see its used in EncryptionServiceProvider:
public function register() { $this->app->singleton('encrypter', function ($app) { $config = $app->make('config')->get('app'); // If the key starts with "base64:", we will need to decode the key before handing // it off to the encrypter. Keys may be base-64 encoded for presentation and we // want to make sure to convert them back to the raw bytes before encrypting. if (Str::startsWith($key = $this->key($config), 'base64:')) { $key = base64_decode(substr($key, 7)); } return new Encrypter($key, $config['cipher']); }); }因此,每个使用加密的组件:会话,加密(用户范围), csrf令牌都将从app_key中受益.
So every component that uses encryption: session, encryption (user scope), csrf token benefit from the app_key.
加密"(AES)的工作原理可以回答其余问题,只需打开 Encrypter.php ,并确认Laravel在后台使用AES并将结果编码为base64.
Rest of the questions can be answered by "how encryption" (AES) works, just open up Encrypter.php, and confirm that Laravel uses AES under the hood and encodes the result to base64.
我们还可以通过使用修补匠来了解其工作原理:
Further more we can see how its all done by using tinker:
➜ laravel git:(staging) ✗ art tinker Psy Shell v0.8.17 (PHP 7.1.14 — cli) by Justin Hileman >>> encrypt('Hello World!') => "eyJpdiI6ImgzK08zSDQyMUE1T1NMVThERjQzdEE9PSIsInZhbHVlIjoiYzlZTk1td0JJZGtrS2luMlo0QzdGcVpKdTEzTWsxeFB6ME5pT1NmaGlQaz0iLCJtYWMiOiI3YTAzY2IxZjBiM2IyNDZiYzljZGJjNTczYzA3MGRjN2U3ZmFkMTVmMWRhMjcwMTRlODk5YTg5ZmM2YjBjMGNlIn0="
注意:我使用了以下密钥:base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ=加密Hello World!
Note: I used this key: base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ= to encrypt Hello World!
解码结果后,我们得到(您可以尝试通过会话解码自己的cookie):
After decoding the result we get (you can try decode your own cookie with session):
{"iv":"h3+O3H421A5OSLU8DF43tA==","value":"c9YNMmwBIdkkKin2Z4C7FqZJu13Mk1xPz0NiOSfhiPk=","mac":"7a03cb1f0b3b246bc9cdbc573c070dc7e7fad15f1da27014e899a89fc6b0c0ce"}要了解上述json(iv,value,mac),您需要了解AES:
to understand above json (iv, value, mac) you need to understand AES:
- en.wikipedia/wiki/Advanced_Encryption_Standard
- 执行,仅将其存储在.env文件中
- 请勿将其存储在app.php中,实际上存储在任何git跟踪的文件中
- 请勿进行更改,除非您确实要更改
- 使会话/cookie无效(用户注销)
- 使密码重置令牌无效
- 使签名的URL无效
- do store it in .env file only
- do not store it in app.php, in fact in any git tracked file
- do not change it unless you really want to
- invalidate sessions/cookies (user logout)
- invalidate password reset tokens
- invalidate signed urls
明显的注意:由于哈希算法不需要加密密钥,因此更改应用程序密钥对哈希密码没有影响.
Obvious Note: Changing application key has no effect on hashed passwords since hashing algorithms do not require encryption keys.
更多推荐
Laravel应用程序中应用程序密钥的意义是什么?
发布评论