39,11 → 39,6 |
with the sole purpose of allowing to invalidate all issued JWT by changing the server secret. |
(This would be more secure than the Blacklist feature, since changing the server secret) |
also invalidates JWT which might have been maliciously postdated). |
- Session Handler (OIDplusSessionHandler.class.php): |
Encryption of session contents (regular logins) |
* if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac |
* if OpenSSL is not installed: sha3-512-hmac |
* In both cases, the key is `OIDplus::authUtils()->makeSecret(["b118abc8-f4ec-11ed-86ca-3c4a92df8582"])`. |
|
Temporary auth keys (sent via email etc.): |
* used at plugin forgot RA password (public/091): |