rhubarbgroup / redis-cache

A persistent object cache backend for WordPress powered by Redis. Supports Predis, PhpRedis, Relay, replication, sentinels, clustering and WP-CLI.
https://wordpress.org/plugins/redis-cache/
GNU General Public License v3.0
446 stars 150 forks source link

Nudge towards better prefixes #225

Open tillkruss opened 4 years ago

tillkruss commented 4 years ago

The "salt" as "prefix" is a misleading naming convention. I keep seeing prefixes that are ridiculously long and contain all the characters.

Let's nudge users towards a cleaner prefix setup with examples in the UI, if theirs is quite long and contains many special characters.

rIT<~s5f$+w]!s&HL5tlGw|gLe13*/rGo= |u3!izQCQyx|VBeB5hw&#ZD,6GtaI => mysite:

naxvog commented 4 years ago

Well considering that some users and/or hosters are using one Redis instance to host many sites the prefix or salt is also a security measure to prevent one site from reading from another. Sure there is ACL but this feature is too new to be widely adopted.

We should definitely nudge users if they use problematic characters but the length should not be a concern in my opinion.

tillkruss commented 4 years ago

For the record: Long prefixes provide ZERO security. To isolate customer data, each customer must have it's own Redis instance, or Redis 6 ACLs must be used.

Should we not discourage this behavior?

ThaDaVos commented 9 months ago

As I just run into the issue myself of conflicting prefixes, why not by default use the database name as prefix? This will ensure its always unique, at least on the same server and prevent conflicts when on a shared hosting people install the plugin and don't change the settings

tillkruss commented 9 months ago

@ThaDaVos: That was discussed a few times. There is no way to technically accomplish this reliably inside the plugin. It has to be done by the user.

ThaDaVos commented 9 months ago

Uhm... Using the database name can't reliably be done? I thought it was set as a constant called 'DB_NAME' - can't you access that from the plugin?