On Thu, Jun 20, 2013 at 4:29 PM, Michael Cetrulo <mail2sa...@gmail.com> wrote: > considering that the SECRET_KEY is automatically generated every time a new > project is created [1], wouldn't make more sense to have this logic on > settings.py and generate a new value when loading the app instead of saving > it as an actual hardcoded value there? eg: > > #settings.py > > from django.utils.crypto import get_random_string > chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)' > SECRET_KEY = get_random_string(50, chars) > > is there any problems I'm not considering here? thanks. > > [1] > https://github.com/django/django/blob/master/django/core/management/commands/startproject.py >
SECRET_KEY is used in lots of places in django where you need a non changing salt. For instance, if you use a signed cookies as a session backend, the SECRET_KEY is used as part of the signing key. Therefore, every time you change the SECRET_KEY, you invalidate all previously signed contents. This would make it beyond useless for signing purposes. The only other use of SECRET_KEY in django itself is as the default encryption secret. Again, the same problem applies - if you change SECRET_KEY on startup, you will no longer be able to decrypt things you encrypted earlier. I don't see what benefit you are trying to get by cycling SECRET_KEY. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
