Did you mean the
secret_key_base config on
The phoenix docs on session gives a brief explanation of what it is used for:
Plug uses our
secret_key_base value to sign each cookie to make sure it can’t be tampered with.
As I understand it, think of it as a private key that you (the server) can use to sign anything with and send to the client, e.g. a session key or an authentication token. By “sign”-ing, it usually means concatenating the payload data and some kind of secret string, and generate a hash of it, to then be sent along the original payload.
When someone sends the session key/token back to the server (e.g. making a request), the server will then calculate the hash again with the received payload and its secret key, and compare it with the received hash. If it matches, then it means the data is intact and valid. If it mismatched then you can be sure the data has been tampered with, so you must reject the request.
If an attacker discover your secret, then they can use it to sign any data they want and make it appear as valid. It enables them to tamper server-signed data.
Say your token has a
scopes field containing
["read"], you can construct a new token with the
scopes set to
["read", "create", "update", "delete"], basically giving you privilege escalation.
I believe you could, but the basic rule is that it should be at least 32 characters in length.
mix phoenix.gen.secret gives you 64 by default. Rather than blindly mashing your keyboard, why not use a command that already gives you one? It’s not a password, so you don’t need to remember it. Hence, it’s better to use some random generated string than, for example, a random English sentence.