diff --git a/core/install.php b/core/install.php
index d5326dbe..77aa07c3 100644
--- a/core/install.php
+++ b/core/install.php
@@ -314,7 +314,8 @@ function create_tables(Database $db): void
 
 function write_config(string $dsn): void
 {
-    $file_content = "<" . "?php\ndefine('DATABASE_DSN', '$dsn');\n";
+    $secret = bin2hex(random_bytes(16));
+    $file_content = "<" . "?php\ndefine('DATABASE_DSN', '$dsn');\ndefine('SECRET', '$secret');\n";
 
     if (!file_exists("data/config")) {
         mkdir("data/config", 0755, true);
diff --git a/core/sys_config.php b/core/sys_config.php
index 8c286d2c..23064ef1 100644
--- a/core/sys_config.php
+++ b/core/sys_config.php
@@ -38,3 +38,4 @@ _d("BASE_HREF", null);          // string   force a specific base URL (default i
 _d("TRACE_FILE", null);         // string   file to log performance data into
 _d("TRACE_THRESHOLD", 0.0);     // float    log pages which take more time than this many seconds
 _d("TRUSTED_PROXIES", []);      // array    trust "X-Real-IP" / "X-Forwarded-For" / "X-Forwarded-Proto" headers from these IP ranges
+_d("SECRET", DATABASE_DSN);     // string   A secret bit of data used to salt some hashes
diff --git a/core/user.php b/core/user.php
index c41a067e..0b7b556d 100644
--- a/core/user.php
+++ b/core/user.php
@@ -249,7 +249,7 @@ class User
     public function get_auth_token(): string
     {
         global $config;
-        $salt = DATABASE_DSN;
+        $salt = SECRET;
         $addr = get_session_ip($config);
         return md5(md5($this->passhash . $addr) . "salty-csrf-" . $salt);
     }
diff --git a/tests/defines.php b/tests/defines.php
index 3d5a9a4c..61fa91ff 100644
--- a/tests/defines.php
+++ b/tests/defines.php
@@ -23,3 +23,4 @@ define("TIMEZONE", 'UTC');
 define("CLI_LOG_LEVEL", 50);
 define("STATSD_HOST", null);
 define("TRUSTED_PROXIES", []);
+define("SECRET", "asdfghjkl");