diff --git a/config.TEMPLATE.inc.php b/config.TEMPLATE.inc.php index f507bc7ca27..68cede26095 100644 --- a/config.TEMPLATE.inc.php +++ b/config.TEMPLATE.inc.php @@ -24,6 +24,10 @@ [general] +; An application specific key that is required for the app to run +; Internally this is used for any encryption (specifically cookie encryption if enabled) +app_key = + ; Set this to On once the system has been installed ; (This is generally done automatically by the installer) installed = Off @@ -50,11 +54,6 @@ ; To set the "Secure" attribute for the cookie see the setting force_ssl at the [security] group session_samesite = Lax -; Enable this if want to enable cookie encryption -; The length of the cookie encryption key must be 16 characters -; Note that updating or removing cookie encryption key will result in logout from all devices -; session_cookie_encryption_key = '' - ; Enable support for running scheduled tasks ; Set this to On if you have set up the scheduled tasks script to ; execute periodically @@ -252,6 +251,14 @@ [security] +; Specific cipher algorithm used to generate app key and encryption purpose +; Valid and available algorithms are `aes-128-cbc`, `aes-256-cbc`, `aes-128-gcm` and `aes-256-gcm` +; cipher = 'aes-256-cbc' + +; Define should the cookie at user's end need to be encrypted +; Enabling/Disabling will force all user to re-login +; cookie_encryption = On + ; Force SSL connections site-wide and also sets the "Secure" flag for session cookies ; See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#secure force_ssl = Off diff --git a/dbscripts/xml/upgrade.xml b/dbscripts/xml/upgrade.xml index 76b4d4adc8a..b6d409eeba3 100644 --- a/dbscripts/xml/upgrade.xml +++ b/dbscripts/xml/upgrade.xml @@ -114,6 +114,7 @@ + diff --git a/docs/release-notes/README-3.5.0 b/docs/release-notes/README-3.5.0 index d03f922ff39..c853f3c8aeb 100644 --- a/docs/release-notes/README-3.5.0 +++ b/docs/release-notes/README-3.5.0 @@ -11,9 +11,15 @@ See config.TEMPLATE.inc.php for a description and examples of all supported configuration parameters. New config.inc.php parameters added for general: - - session_cookie_enctyption_key (default value: ''), allow cookie encryption when set + - app_key (default value: ''), application specific key will used internally for encryption/decryption. This will be automatically added at upgrade. + +New config.inc.php parameters added for security: + - cipher (default value: ''), cipher algorithm used to generate app key and encryption purpose + - cookie_encryption (default value: ''), allow cookie encryption when set + New Features ------------ #9566 : Convert session and cookie management to Laravel + #9895 : Introduce APP KEY feature of Laravel diff --git a/lib/pkp b/lib/pkp index bee9547b491..4d85c0feee9 160000 --- a/lib/pkp +++ b/lib/pkp @@ -1 +1 @@ -Subproject commit bee9547b491353e92e53e5ed2da2d197a24be972 +Subproject commit 4d85c0feee944902581c69d645cc59c5602dc714