They’re an essential security feature and probably best described at https://codex.wordpress.org/Editing_wp-config.php#Security_Keys with subsequent links to further reading. 🙂
Thread Starter
GusGF
(@gusgf)
These links don’t actually explain how the keys work. Lots of statements but no actual explanation of the inner workings.
Can it be that difficult to explain?
The problem with the articles is that they’re outdated. When you look at the code, you can see some new stuff. This is a pretty decent explanation, but despite the fact that the article is written in 2014, it’s still outdated. I mean, most of the things that you can read in that post applies to the recent version of the code, but some of things are missing, for instance the Token.
The following is a comment that I posted in the aforementioned article:
In the recent version (4+) there was a change in the authentication process, I mean there’s another parameter — token, so the cookie looks like this:
Set-Cookie: wordpress_urlhash=user|timestamp|token|hash(sha256|sha1)
I’m wonder what is the purpose of the token and whether it can be predicted.
Also I have some additional questions concerning key/salt strings that can be set in wp-config.php file because I can’t find any useful info on this subject.
1. Can I use any utf-8 character to set the keys, for instance ® ?
2. Is there a limit in the length of the strings?
3. What is the purpose of NONCE cookie? I can understand the 3 other.
4. If you don’t have the keys set in the wp-config.php file, they will be automatically created in the database, but what if you create them in the wp-config.php? You have now two sets of keys — one in the database and one in the file. According to https://codex.wordpress.org/Function_Reference/wp_salt , they “will be appended to the secret key that is in wp-config.php file in some instances.” — do you know what instances? Is it better to have the two sets or delete the keys from the database?
5. Why do we need two different keys (key + salt) in wp-config.php file? I mean, there’s one file and the two values are read from it, so what’s the purpose of having two keys instead of just one?
6. Why the default length of the keys (salts) is 64 chars? I mean the sha256 hash also has 64 chars — is there any connection between the two? Is there any security improvement when I use more than 64 chars in the keys/salts?
But the comment is still awaiting moderation, and I didn’t get answers to these questions.
The code may be outdated, but the general why/how, which the OP was asking, hasn’t changed.
