PHP micro Framework Lumen(Laravelから)を試しています。 最初のステップの1つは、.env.example ファイルを調べて、そのコピーを作成して.env.example ファイルを作成すること.env 。 Laravelにあるような変数APPKEYがあります。. Php artisan key:generate. 报错1:PHP脚本占用内存太多,memorylimit默认128m不够用。 PHP Fatal error: Allowed memory size of XXXXXX bytes exhausted 。 Composer命令失败: Composer内部增加memorylimit到1.5G. 解决:修改php.ini配置,将memorylimit改的大一些; 报错2:PHP版本问题。. Apr 18, 2015 Be sure to create the database (homestead in this case, but you can obviously customise it).It’s also a good idea in general to change the APPKEY value into some random string in case you are building a “serious” application. To make Lumen load this configuration file we need, again, to edit the bootstrap/app.php file and uncomment the following line.
Every time Laravel developers start or clone a Laravel app, generating the application key or APP_KEY
is one of the most important first steps.
Dec 15, 2017 Active Office 2010 Professional Plus with Key and without Crack Tool Step 1: Run 'CMD' with Administrator & Looking for path has installed Office For Windows. Ms 2010 product key generator. Microsoft Office 2010 Product Key Generator + Crack Full Free Download. Microsoft Office 2010 Product Key Generator is made by Microsoft Corporation which is a complete group of programs allows you to do work inside an office and afford as a desktop work. Dec 01, 2017 Microsoft office 2010 Product Key Generator is produced by Microsoft corporation with full set of programs that helps you to do work in an office and offered as a desktop suit. Also, Microsoft office 2010 Product is the only optimum solution to activate your Microsoft Office 2010 because it fulfills all the related features. Mar 26, 2020 What is Microsoft Office? Microsoft Office 2010 product key Generator stands as one of the most popular, versatile and complete office application suites in the world, and its popularization has spread to such an extent that more than 80% of companies use the services of this software on day to day basis.
A recent Laravel security update fixed an issue with how APP_KEY
is used. For someone to exploit this issue, they'd need to have access to the production APP_KEY
. The simplest fix for the exploit is to rotate (change) your APP_KEY
. That led some of us at Tighten to ask the question: What does the app key do? What is involved in rotating it? What are best practices for managing these keys for our Laravel applications?
In this post, we'll talk about what APP_KEY
does and doesn't do, some common misconceptions about its relationship to user password hashing, and the simple steps to changing your APP_KEY
safely without losing access to your data.
In early August, Laravel 5.5 and 5.6 received a security fix related to cookie serialization and encryption. On one hand, the fix is simple and most applications probably weren't affected. On the other hand, it's a serious security risk and reveals the need for our community to better understand how APP_KEY
s work.
Exploiting this security issue requires someone to know your APP_KEY
, which is why I’m going to walk you through the details of your key, why it’s important, and how to change it.
For information about the security fixes, see these resources:
APP_KEY
?The application key is a random, 32-character string stored in the APP_KEY
key in your .env
file. The Laravel installer generates one for you, so you'll only notice it missing when you clone an existing app.
You've probably seen this error before:
To create a new key, you could generate one yourself and paste it into your .env
, or you can run php artisan key:generate
to have Laravel create and insert one automatically for you.
Once your app is running, there's one place it uses the APP_KEY
: cookies. Laravel uses the key for all encrypted cookies, including the session cookie, before handing them off to the user's browser, and it uses it to decrypt cookies read from the browser. This prevents the client from making changes to their cookies and granting themselves admin privileges or impersonating another user in your application. Encrypted cookies are an important security feature in Laravel.
All of this encryption and decryption is handled in Laravel by the Encrypter
using PHP's built-in security tools, including OpenSSL. We won’t be looking closely at how that encryption works here, but if you want to learn more I’d encourage you to read more on the PHP implementation of OpenSSL and the openssl_encrypt
function.
One very common misconception in the Laravel community—one I held myself until recently—is that the APP_KEY
is used to hash passwords. Thankfully, this isn't the case! I think this leads many people to assume that the APP_KEY
is un-rotatable without breaking all of your users' logins.
Passwords are not encrypted, they are hashed.
Laravel's passwords are hashed using Hash::make()
or bcrypt()
, neither of which use APP_KEY
. Let’s take a look at encryption and hashing in Laravel.
There are two main cryptographic facades in Laravel: Crypt
(symmetric encryption) and Hash
(one-way cryptographic hashing). Passwords are hashed, and cookies are (optionally) encrypted. Let’s look at the differences.
Let’s say I want to send a secret message to my friend Arthur. We both agreed on a secret key the last time we were together: Photoshop cs3 master collection key generator online.
I want to send him a short message that only that key can decrypt. I’ll use my favorite industry standard, open source encryption function openssl_encrypt()
(used by Laravel's Crypt
) with our shared $key
and have a plain-text encrypted string to send him:
I’ll send this secret to Arthur any way I want; since we’re the only two with the key, I’m not worried about anyone else reading the message.
When Arthur gets it, he’ll reverse the process using our secret key. This is the symmetric part of it: we’re able to encrypt and decrypt without losing information.
Laravel uses this same method for cookies, both the sender and receiver, using APP_KEY
as the encryption key. Response cookies are encrypted, sent to the user, read back in a future request, and decrypted, all using the same application key.
Our example of symmetric encryption has lots of potential uses, but all of them involve needing to eventually decrypt the scrambled message.
But when it comes to something like user passwords, you should never have a way to decrypt them. Ever.
This means our Crypt
methods won’t work, and therefore can’t be based on a key that we have. Instead, we need a hashing function, which should be:
You’re likely already familiar with many one-way hashing algorithms: MD5 and SHA-1 are quick to compute, but not the most secure (they’re weak on items 4 and 5 above).
Laravel hashing implements the native PHP password_hash()
function, defaulting to a hashing algorithm called bcrypt. For one-way hashing, it’s a great default, and you shouldn’t need to change it (though Laravel now offers a few other hashing methods, too).
If you’ve ever looked in the users
table, this might look familiar to you. Here’s what it means:
$2y$
hashed using the blowfish algorithm (bcrypt)10$
the “cost” factor (higher means the hash takes longer to compute)hEEF0lv4spxnvw5O4XyLZ.
a random “salt” of 22 characters QjCE1tCu8HjMpWhmCS89J0EcSW0XELu
the hash outputSince this is a one-way hash, we cannot decrypt it. All that we can do is test against it.
When the user with this password attempts to log in, Laravel hashes their password input and uses PHP’s password_verify()
function to compare the new hash with the database hash:
You’ll notice that Laravel only needs a key (in this case, APP_KEY
) when symmetric (reversible) encryption is needed. User password storage should never be reversible, and therefore doesn’t need APP_KEY
at all.
But that doesn’t mean your key should be treated carelessly. Instead, treat it like any other production credential: use the same care and security as your MySQL password or MailChimp API key.
Any good credential management strategy should include rotation: changing keys and passwords on a regular basis (e.g. every 6 months) or in specific situations (e.g. an employee leaves the company).
Thankfully, it is possible to rotate your APP_KEY
; you just need to keep a few things in mind.
If you serve the same application from multiple servers, you’ll need to update the key on each server.
Any users currently logged in to your application will have their sessions invalidated as soon as you change your APP_KEY
. Schedule your key rotation at an optimal time to minimize inconvenience for your users.
Although the security of your cookies is the only place Laravel uses the APP_KEY
as a framework, you may have custom code in your application that encrypts your data. If you have any uses of Laravel's encrypting features, make and test a plan to decrypt that data with your old key and re-encrypt it with the new key.
APP_KEY
First, copy your existing APP_KEY
somewhere else, just in case changing your key has unintended side effects.
Before you try rotating your APP_KEY on your production server, try rotating it on your local machine to make sure everything goes smoothly. When you're ready, run php artisan key:generate
:
And that’s it! If you want to generate a key without modifying your .env
file, include the --show
flag:
APP_KEY
does not affect user passwordsAPP_KEY
, logging out any current usersAPP_KEY
APP_KEY
along with your other credentials and keysThe new migration will be placed in your database/migrations directory. Each migration file name contains a timestamp as version which allows Doctrine to determine the order of the migrations.
The --table
and --create
options may also be used to indicate the name of the table and whether the migration will be creating a new table. These options simply pre-fill the generated migration stub file with the specified table:
If you would like to specify another output path for the generated migration, you can change the setting in config/migrations
.
The command generates blank migration class in database/migrations
with latest version.
Schema
has addSql()
method to add our own custom SQL queries.
For example:
Alternatively you can use a Laravel-like Schema Builder. The previous example will now look like this: