Handle Drupal Hash Salt Considerations #10
Comments
|
This is being worked around in settings.php, but will require a real solution involving writing out to settings.php as part of the installer: if (isset($_SERVER['PANTHEON_ENVIRONMENT'])) { |
|
The $settings['hash_salt'] is now handled with this logic in settings.php: if (isset($_SERVER['PRESSFLOW_SETTINGS'])) { Ideally this can be a value that we inject directly into the environment, but for now this is functional and uses the same methodology as the fallback in drupal_get_hash_salt() https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drupal_get_hash_salt/7. |
|
This means that the salt will be changed anytime a database is migrated. On Wed, Oct 22, 2014 at 2:30 PM, Matt Cheney [email protected]
Nick Stielau |
|
In cases where forms are loaded and the database connection information changes before they are submitted, those forms wouldn't work. AFAIK this is how we are handling the hash salt for Drupal 7 via the fallback in https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drupal_get_hash_salt/7. Ideally we can set a hash salt for the site in the site environment that wouldn't change when the database information does. |
|
We have an established mechanism to deploy unique hashes for config values. Look at the internal chef code for dropping PHP config for WordPress. This will make it random for sites, but consistent across envs, but can be reset in the event of a security scare. It's better than what we are doing for D7. |
|
We are now rolling with a Pantheon generated hash salt value being used for all Drupal 8 sites. This should maintain consistency across database migrations and site environments. |
|
I just ran into a related issue with this. I created a new D8 (8.0.1) site on Pantheon, then cloned it down to my local, then tried to import it into Acquia Dev Desktop. When I did, I got an error during site installation that said that the settings['hash_salt'] wasn't set. I added $settings['hash_salt'] = ''; to the top of my local settings.php (above the settings.pantheon.php include) and this did the trick. Not sure if it is the best way to do it, but since $settings['hash_salt'] is required, then I'd think that anyone bringing a D8 site down from Pantheon will run into this issue. -mike |
|
It is true that the hash salt is required to run Drupal; however, on Pantheon, we inject the hash salt setting rather than write it into a settings file. This keeps sensitive information out of the repository / database, which is better for security. So, you are correct that it is necessary to add a hash salt value when migrating a Drupal site from Pantheon to another location (different host, local development, etc.). See the discussion on this in #103. |
|
Documentation update for this: pantheon-systems/documentation#1121 |
|
Re-opening this. It looks like we implemented this in a way that has different salts in different environments, which makes development painful when doing DB clone operations. |
|
If I am not mistaken, the hash salt is only used to protect your login session data / prevent CSRF. This means that you cannot be simultaneously logged in to two sessions in two environments in the same browser; is that the development pain you are referring to? If users do not like Pantheon's handling of the hash salt could always set Then, put the result from that command into your settings.php, after settings.pantheon.php is included. I haven't tried to see if I could have simultaneous logins with this configuration, but it should work. Maybe this workaround would be a better strategy than unifying the hash salt across environments -- which I sort of think is a good feature, as it prevents people from accidentally sharing sessions between dev and live. |
This is currently a problem:
RuntimeException: Missing $settings['hash_salt'] in settings.php. in drupal_get_hash_salt() (line 1514 of core/includes/bootstrap.inc).
The text was updated successfully, but these errors were encountered: