- If you’re using PHP <7, you can still use random_bytes()! Well, once you install random_compat via Composer.
- If you’re using any mcrypt function other than mcrypt_create_iv() for working with passwords, stop. Sounds like you’re encrypting passwords rather than hashing them. Don’t do that.
- mcrypt isn’t exactly 1:1 with OpenSSL for encrypt/decrypt, but you can get it to do the same thing (same inputs, same outputs). I’ll do a post later on how to do this…I’ve done exactly that before and have unit tests to prove it 🙂
- You can specify a manual salt in PHP 7.0 within password_hash(). It’s deprecated, and for good reason: don’t use it. But if you need backward compatibility with something or other, it’s there…for now.
- The next password hashing mechanism that’ll show up in PHP, as PASSWORD_DEFAULT for password_hash(), is Argon2i. There’s an RFC for inclusion of the algorithm in the language, but nothing quite yet for setting as PASSWORD_DEFAULT…probably only a matter of time though. Maybe PHP 8.
- Re: MFA, TOTP doesn’t have replay prevention built in, but it cycles every 30 seconds if you’re using Google Authenticator (the spec lets you use other periods, but 30 seconds is the only one GAuth supports). HOTP is the other OATH standardized one time password, and that one is strictly event based. Look up spomky-labs/otphp for building those codes, as well as bacon/bacon-qr-code to spit them out as QR codes that Google Authenticator can consume. Built an internal 2FA server using those libs…eventually it’ll get open-sourced…
- For JWTs, League’s OAuth2 server uses lcobucci/jwt rather than Firebase’s library…lcobucci’s a bit more full-featured.
- Read this about JWTs’ algorithm field, and how you shouldn’t trust it. Then use a library that doesn’t have that vulnerability (both of the above are patched).
Posts Tagged php
As I’m writing this, I’m sitting at SeaTac waiting for my flight back from PNWPHP to board. One talk there inspired me to get AMP up and running on this blog…but more on that in another post. As part of that process, I figured, “What the heck, I’ve got CloudFlare set up on my site, which gives me HTTPS for free. I should force HTTPS for my entire (WordPress) blog. Which means I’ll get HTTP/2 acceleration for free as well (because CloudFlare does that), which Davey Shafik said was pretty awesome.”
My site has been available over HTTPS for a bit, as I set up CloudFlare a few months back, but the default protocol was HTTP, hitting my host directly. No geo-acceleration, no HTTPS, no HTTP/2.
The process to fix that issue was as follows: Read the rest of this entry »
Last weekend I attended SunshinePHP (it was a blast; you should go next year if you didn’t this year…or if you did, for that matter). Friday night, there was a panel on minimum PHP versions, with an eye to raising the bar to something in recent, non-end-of-life history rather than allowing versions that won’t get security fixes anymore. The battle cry there was one of pushing hosts, devs, sysadmins and communities in general to newer versions (5.5, 5.6, and 7 late this year) in the name of better speed, better security, and a much happier environment for developers.
This battle cry was mixed with the explanations of some panel members on why their packages still support PHP 5.2 and 5.3 (remember, both now no longer get security fixes), with remonstrances that increasing a version requirement on CMS-centric frameworks like CodeIgniter, or CMSes themselves like WordPress and PyroCMS would end up stranding user bases on unsupported, vulnerable software if they increased their minimum version requirement to something reasonable, rather than getting those devs and end users on a supported, more dev-friendly version of the runtime. For full-stack frameworks, and given the proliferation of, and ease of migration to, 5.4+ hosts, I find this unconscionable, for reasons stated eloquently by Anthony Ferrara.
But another member of the panel also supports PHP 5.3 with his libraries: Paul M. Jones with the AuraPHP project. Why am I not railing against this…and the fact that the Aura v2 libraries actually downgraded their version requirements relative to Aura v1? Paul mentioned that the effort to allow 5.3 compatibility was quite low (remove short array syntax, remove callable typehints), but there’s a better reason: Aura libs can be used to modernize applications and serve as a bridge to current versions…and you want to put the other end of the bridge where those apps are sitting right now. Read the rest of this entry »