Could Salts Live In Another File? about wordpress-skeleton HOT 4 OPEN

Well, you could use the same approach... put in placeholders and have a Capistrano task populate them. Here's the problem with me having these be placeholders in this repo: WordPress treats the string 'put your unique phrase here' specially. It knows that that string is the default, and if that string is present, it generates salts that are stored in the database. If I put a placeholder, then anyone who doesn't use a deploy process to update the placeholders with real salt values is going to be using a published, shared salt. Which isn't great. Not the end of the world — having the salt stored in the database is also less secure than have a hardcoded, secret salt.

I'll have a think about how I could offer this in a secure way. Like, maybe the placeholders could go to placeholder variables and then have the defines be programmatically defined based on their value (placeholder vs non-placeholder). That might work.

from wordpress-skeleton.

Thanks for that - very interesting. So, in fact, you could just leave them as is, as it would be more secure than substituting them on deployment. Perhaps the best technique would be to substitute the placeholders - which I think is what you are saying?

I wonder if rather than use sed on the server side it might be better to use ERB on the client side, a la Chef and Puppet et al.

from wordpress-skeleton.

Perhaps the best technique would be to substitute the placeholders - which I think is what you are saying?

Well, something like this:

<?php
$keys = array(
  'AUTH_KEY' => '%%AUTH_KEY%%',
  'SECURE_AUTH_KEY' => '%%SECURE_AUTH_KEY%%'
  // etc, listing out all the keys
);

// Do not modify this section
foreach ( $keys as $key => $value ) {
  if ( $value === "%%$key%%" )
    define( $key, 'put_your_unique_phrase_here' );
  else
    define( $key, $value );
}
unset( $keys, $key, $value );

So, if you use the placeholders, they'll be defined using what you set them to. Else, they stay the default. What do you think of that approach?

I wonder if rather than use sed on the server side it might be better to use ERB on the client side, a la Chef and Puppet et al.

You certainly have that option. Would be trivial to write that as a Capistrano task. I'd listen for an argument for making that the way to do placeholders from here on.

from wordpress-skeleton.

Sorry for the delay, I'll look into doing to replacement to ERB and send you a pull request when I am done.

As dor the placeholders, I think this is a wise approach, pending the replacement with ERB.

from wordpress-skeleton.