MarkMekhaiel

MarkMekhaiel

Phoenix - Setting the signing salt for cookies from an env var

Hi,

I’m in the middle of the rather painful task of converting our phoenix API to an app that accepts and serves HTML requests.

This is all working fine locally, my issue comes when setting the signing salt for the Plug.Session module. It gets set in MyApp.Endpoint and I’d like it to look like this:

  plug(Plug.Session,
    store: :cookie,
    key: "myapp_key",
    signing_salt: Application.compile_env(:myapp_web, MyAppWeb.Endpoint)[:secret_key_base],
    key_length: 70,
    log: :debug
  )

While this works locally, when build and deployed, this value is obviously nil, which results in errors.

I guess the first question is, is hard coding the salt here a security issue?

And if so, how can I set the signing_salt after I’ve access to env vars?

Thanks in advance

Marked As Solved

voltone

voltone

Setting the signing_salt to the value of secret_key_base doesn’t make much sense in the first place.

The idea of a salt in a key derivation function (KDF) is to derive secondary secrets from a single master secret. This is necessary because it is not safe to use the same master key for multiple use-cases in different contexts. As long as you keep your master secret safe, the salts don’t have to be kept secret. If one of the derived secrets is compromised you can just change the salt to rotate it. As long as each individual salt is unique and is never reused in another context.

TL;DR: you can hardcode a signing_salt value at compile-time and commit it to your code repo, as long as you are ok with a code push should you ever have a need to rotate it. (But don’t set it to the current value of secret_key_base, obviously, as that should remain secret!).

Where Next?

Popular in Questions Top

chokchit
** (DBConnection.ConnectionError) connection not available and request was dropped from queue after 2733ms. You can configure how long re...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
mgjohns61585
Could someone help me? I’m making my first elixir program, number guessing game. I can’t figure out how to convert the user’s guess from ...
New
shahryarjb
Hello, I get Persian date from my client and convert it to normal calendar like this: def jalali_string_to_miladi_english_number(persi...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

Other popular topics Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement