What happens if I change the salt setting in OJS3 on a production site?


What exactly happens if I change the salt key in config.inc.php on a production site? https://github.com/pkp/ojs/blob/master/config.TEMPLATE.inc.php#L257

Do user passwords still work?
Will everybody be logged out automatically?
Something else to consider?

Hi @ajnyga, greetings my friend!!

I was curious about your questions, and I did a test (linving on the edge). I changed in a enviroment test OJS (v. 2.4.x) and nothing wrong happend (all passwords and active sessions remain without a problem).

I think, and guess, that this salt key is only used for recovering or reseting password action (if I am not wrong). In deed, right bellow is the timeout conf for this reset hash.

Anyway, I am curious if something, but only reseting passwords, could be implied on it.



Thanks @israel.cefrin!

Hi all,

The salt setting in config.inc.php is used for password reset hashes and the CSRF token. Both of these can be considered “short-term”, i.e. changing the salt will cause little disruption. For passwords, the salt is automatically created and included in the stored password. (For details, see the Return Values section under the documentation for password_hash.)

Alec Smecher
Public Knowledge Project Team