Reputation: 1719
Laravel: if someone know's the app generated key
What someone could do if they have access to the application key of a laravel project?
What could be done?
Upvotes: 0
Views: 193
Answers (1)
Reputation: 4244
Basically, they can decrypt and encrypt almost anything and your app will accept it as an input.
For example with your app key, someone can generate cookies that will log them in as any user of your app, without using any password.
If someone stole that key, best is to regenerate it as soon as possible.
However it'll render everything encrypted by your app invalid. So remember me token, cookies, and session will get invalidated and everyone will have to login again.
Also, if you use the Encrypter class in your app, remember that it'll not be able to decrypt successfully any previously encrypted thing anymore, so you'll have to migrate data by decrypting it using the old key, then re-encrypting it with the new one.
Also the most annoying part is that every password created with Hash:make will no longer be valid. But well, if the attacker has access to your APP key, he also has access to your DB credential, and so your full password database isn't safe anymore and you should force users to regenerate all of their passwords.
Upvotes: 1
Related Questions
- Laravel php artisan key:generate in production
- When to generate a new Application Key in Laravel?
- How to change dynamically APP_KEY in for different different users
- Run a Laravel Application With or Without a Key
- Is my APP_KEY the only thing unique to Laravel's Crypt
- Laravel's application key - what it is and how does it work?
- Laravel 5 Application Key
- How do I add a new APP_KEY to a Laravel project?
- How to secure app.php encryption key? (Laravel 5)
- Generating an application key in Laravel 4