Question about encrypted cookies

Qua8zoh6 · November 24, 2022, 4:52pm

Hi,

I’ve got a rather simple question (I hope) about the cookie encryption and its values. There are two values I have to set:

xwiki.authentication.validationKey
xwiki.authentication.encryptionKey

The comments in xwiki.cfg read

#-# Cookie encryption keys. You SHOULD replace these values with any random string,
#-# as long as the length is the same.

Does this mean

A) both of those values should have the same length (e.g. 32, 64 or whatever many characters)
or
B) both of these values should be no more and no less than 32 characters (like the examples given in the config)

I always understood it like option A and set two random strings which were both the same size, this is correct, no?

Thanks in advance!

MichaelHamann · November 25, 2022, 2:29pm

It’s B, both of these values should have 32 characters. My understanding of the code is, however, that it also isn’t a problem if they should be longer and that there is no need for them to be both of the same length.

Qua8zoh6 · November 25, 2022, 2:37pm

Oh wow, I did not expect THAT. This means, each parameter could have different values >32 characters and it would not matter since they would be trimmed to 32 chars anyway? Thanks!