0009191: obsolete and remove $g_password_confirm_hash_magic_string - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0009191	mantisbt	scripting	public	2008-05-21 18:49	2011-08-05 02:25

Reporter	giallu	Assigned To	dhx
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	duplicate
Product Version	1.1.1

Summary	0009191: obsolete and remove $g_password_confirm_hash_magic_string
Description	This variable is used in few places as a "salt" string, but my guess is many installations it is left at default value, defeating its purpose. From a quick check, it seems we can get rid of it completely. Otherwise, we need to fin a better way to create it, possibly as a real random string at installation time.
Tags	No tags attached.

vboctor 2008-07-13 16:41 manager ~0018468	I agree that this string should be a random string that is generated at install time. I'm not sure what features will break if this string breaks. From memory this is only used for authenticated RSS.

dhx 2010-09-18 01:28 reporter ~0026767	Already obsoleted by 0010730.

duplicate of	0010730	closed	dhx	Improve random number generation with openssl_random_pseudo_bytes
related to	0009190	closed	dhx	Improve robustness of auth_generate_confirm_hash()