My generated salts are both exactly the same

Question

So, I'm 'randomly' generating two salts for use with later encryption and hashing. These are generated during the application's install process and then copied into a global configurations file via:

file_put_contents()

Now, when these are generated, I can view them in my 'globalParams.php' file. They are stored as values of an array, but this array is not utilised at all in this installation process.

The code for generation is as follows:

// Let's generate some encryption salts:

    $options = [
    'cost' => 12,
    'salt' => mcrypt_create_iv(32, MCRYPT_DEV_URANDOM),];

    $salt = password_hash(mt_rand(), PASSWORD_BCRYPT, $options);
    $salt = password_hash($salt, PASSWORD_BCRYPT, $options);

    $salt2 = password_hash(mt_rand(), PASSWORD_BCRYPT, $options);
    $salt2 = password_hash($salt2, PASSWORD_BCRYPT, $options);

After this, they are placed into the config file like so:

// Let's open up our template globalParams.php and replace some strings..

      $editFile = file_get_contents('newGlobalParams.php');

      $editFile = str_replace( "database_hostname", $hostname, $editFile );
      $editFile = str_replace( "database_username", $dbUser, $editFile );
      $editFile = str_replace( "database_password", $dbPass, $editFile );
      $editFile = str_replace( "database_name", $database, $editFile );

      $editFile = str_replace( "encryption_salt", $salt, $editFile );
      $editFile = str_replace( "encryption_salt2", $salt2, $editFile );

      // Replace the original globalParams.php now that the system is set up..

      file_put_contents('../_includes/globalParams.php', $editFile);

And these are example outputs:

$parameters['main']['salt']   = "$2y$12$cLSGeEoau5/4NEZ3Fe8qquxwUBc6aL5fmcYUlQtavdoIY1L7NKnaG";
$parameters['main']['salt2']   = "$2y$12$cLSGeEoau5/4NEZ3Fe8qquxwUBc6aL5fmcYUlQtavdoIY1L7NKnaG2";

Why are they identical, but with an appended 2?

More code, including the entire installer file, can be posted if needed..

Ta.

Edit:

Here are the results that are echoed right after generation:

$2y$12$uuZoLwioBePD9aDozrOJkus3e/DuShspaqKzzCDVne6BwVsyDkBA2
$2y$12$uuZoLwioBePD9aDozrOJkuicthSCvq2mpGTQlKNGZ.jLUUrfSDEq.

Values dumped to 'globalParams.php':

$parameters['main']['salt']   = "$2y$12$uuZoLwioBePD9aDozrOJkus3e/DuShspaqKzzCDVne6BwVsyDkBA2";
$parameters['main']['salt2']   = "$2y$12$uuZoLwioBePD9aDozrOJkus3e/DuShspaqKzzCDVne6BwVsyDkBA22";

Template of 'globalParams.php':

<?php

// Global configurations file

$parameters['dbC']['hostname']  = "database_hostname";
$parameters['dbC']['username']  = "database_username";
$parameters['dbC']['password']  = "database_password";
$parameters['dbC']['database']  = "database_name";

$parameters['main']['salt']   = "encryption_salt";
$parameters['main']['salt2']   = "encryption_salt2";

session_start(); // Start the session, ready for the user to login with.
putenv( "TZ=Europe/London" ); // Set the timezone for cookies and the sessions.

require_once('databaseFunctions.php');
require_once('coreFunctions.php');

if(file_exists('_install/')) { // Ensures no malicious user can reinstall the application using their own data..

    exit( "Please delete the \"install\" directory." );

}

Answer 1

The problem is this:

$editFile = str_replace( "encryption_salt", $salt, $editFile );
$editFile = str_replace( "encryption_salt2", $salt2, $editFile );

You are replacing the encryption_salt in encryption_salt2 on the first replacement.
Then the second replacement does nothing because the pattern encryption_salt2 no longer exists.

Answer 2

Flosculus already answered your question, but nevertheless i would like to point out some other details.

The way you generate the "salts" is very expensive. I'm not sure what the purpose of them is, there are actually four possibilities:

1. Used as key for encryption
2. Used as IV for encryption
3. Used as key/pepper for password hashing
4. Used as salt for password hashing

To hash passwords (case 4) it would be better to leave out the salt parameter completely, password_hash() will then automatically generate a safe salt for each password. It is absolutely unnecessary and bad for your servers cpu to use key-stretching for a salt, the same salt should not be used for more than one password, and you loose entropy creating it this way.

The same goes for encryption. If you need a key (case 1), then just generate some random bytes and use bin2hex() for storing them readable in a config file. If you need an IV (case 2), you should generate it for each text you want to encrypt, and store it with your encrypted string. An IV should not be used for more than one encrypted string.