Drupal hash salt / private key is changing?
-
07-02-2021 - |
Question
I've created a token that I store in database, here is how I create my token :
$token = drupal_hmac_base64($pid . " " . $order_id . " " . $solde, drupal_get_private_key() . drupal_get_hash_salt());
And then when a user go to my url that looks like that :
https://mycustomwebsite.com/order_id/token
With the token and another value : order_id
, I get the line in my database with the order_id
and then I create a new token :
$new_token = drupal_hmac_base64($pid . " " . $order->order_id . " " . $solde, drupal_get_private_key() . drupal_get_hash_salt());
I compare these two tokens just for a verification to grant the access or not.
This works fine but couple days after when I try to go on a link the access doesn't work anymore. When I look at the new_token
generated for verification it's not the same !
But the value used to make this token (pid
, order_id
and solde
) are the same, so here is why I ask my question.
Does the drupal_get_hash_salt()
or drupal_get_private_key()
can return different values in the time ?
Solution
drupal_get_hash_salt()
is either:
- a manually-entered value stored in your
settings.php
- ...or (by default) a hash of your serialized-DB config
drupal_get_private_key()
is either:
- a stored variable called
drupal_private_key
if it's set - ...or (by default) randomly generated bytes (that are saved to
drupal_private_key
after generation)
So, either one can change their value if:
- You changed your DB config (if
$drupal_hash_salt
isn't manually set insettings.php
). - You've lost/removed
drupal_private_key
from thevariable
DB table.