Secret Keys & Salts — Explained
These eight values are the cryptographic backbone of a secure application. Each one is a random 64-character string that should be unique per project and never shared publicly.
Auth Key
AuthKeyAuthenticates logged-in users
Used to encrypt and verify the authentication cookie set when a user logs in. It is the primary secret that proves a session belongs to a specific user.
Risk: If compromised, attackers can forge login cookies and gain unauthorized access to any account.
Auth Salt
AuthSaltAdds entropy to the Auth Key
Works alongside AuthKey to add randomness (entropy) to the hashing process. A salt makes brute-force and rainbow-table attacks computationally infeasible even if the key itself leaks.
Risk: Without a strong salt, an attacker with the key could precompute valid cookies offline.
Logged In Key
LoggedInKeySigns the front-end session cookie
Secures the cookie used to check whether a user is logged in on the front end. Kept separate from AuthKey so that front-end and back-end sessions use independent secrets.
Risk: Reusing the same value as AuthKey reduces security isolation between front-end and admin sessions.
Logged In Salt
LoggedInSaltSalts the Logged In Key
Provides the salt component for the logged-in cookie hash, mirroring the role AuthSalt plays for AuthKey. Keeps the front-end session token unpredictable.
Risk: A weak or reused salt here makes front-end session tokens easier to predict or forge.
Nonce Key
NonceKeySigns one-time action tokens
Nonces are short-lived tokens that protect URLs and forms from CSRF (Cross-Site Request Forgery). NonceKey is the secret used to generate and verify these tokens.
Risk: A predictable NonceKey lets attackers craft valid nonces, enabling CSRF attacks on privileged actions.
Nonce Salt
NonceSaltAdds entropy to Nonce Key
Salt companion to NonceKey. Ensures that even if two requests share the same context, the resulting nonce tokens are unique and non-guessable.
Risk: Without a proper salt, nonces generated close together in time may be predictable.
Secure Auth Key
SecureAuthKeySecures HTTPS-only sessions
Used exclusively over HTTPS to sign the secure authentication cookie. Provides an additional layer of isolation — even if HTTP cookies are sniffed, the HTTPS session cookie remains protected.
Risk: Sharing this value with AuthKey eliminates the security benefit of having separate HTTPS-only session tokens.
Secure Auth Salt
SecureAuthSaltSalts the Secure Auth Key
The salt paired with SecureAuthKey. Together they harden the HTTPS-only session cookie against offline attacks and ensure each installation has a cryptographically unique token space.
Risk: A weak or default salt makes the secure session cookie vulnerable to offline brute-force.
Generated by ababilspark.com — rotate these values any time you suspect a breach.