Re: autogenerating SECRET_KEY every time the server runs

[Tom Evans]

On Thu, Jun 20, 2013 at 4:29 PM, Michael Cetrulo  wrote:
> considering that the SECRET_KEY is automatically generated every time a new
> project is created [1], wouldn't make more sense to have this logic on
> settings.py and generate a new value when loading the app instead of saving
> it as an actual hardcoded value there? eg:
>
> #settings.py
>
> from django.utils.crypto import get_random_string
> chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
> SECRET_KEY = get_random_string(50, chars)
>
> is there any problems I'm not considering here? thanks.
>
> [1]
> https://github.com/django/django/blob/master/django/core/management/commands/startproject.py
>

SECRET_KEY is used in lots of places in django where you need a non
changing salt. For instance, if you use a signed cookies as a session
backend, the SECRET_KEY is used as part of the signing key.

Therefore, every time you change the SECRET_KEY, you invalidate all
previously signed contents. This would make it beyond useless for
signing purposes.

The only other use of SECRET_KEY in django itself is as the default
encryption secret. Again, the same problem applies - if you change
SECRET_KEY on startup, you will no longer be able to decrypt things
you encrypted earlier.

I don't see what benefit you are trying to get by cycling SECRET_KEY.

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: autogenerating SECRET_KEY every time the server runs

[Oscar Carballal]

So the SECRET_KEY is stored in the database at syncdb time? What if it gets
compromised, you need to modify that table/row? Just asking out of
curiosity :-)


2013/6/20 John DeRosa 

> When we run the development server locally, we often start with an
> already-existing database. We don't re-initialize the db unless we have to,
> because there's been a schema change or a change in the value stored in a
> table's field.
>
> So we'd need SECRET_KEY to not change most of the time!
>
> John
>
> On Jun 20, 2013, at 8:29 AM, Michael Cetrulo  wrote:
>
> considering that the SECRET_KEY is automatically generated every time a
> new project is created [1], wouldn't make more sense to have this logic on
> settings.py and generate a new value when loading the app instead of saving
> it as an actual hardcoded value there? eg:
>
> #settings.py
>
> from django.utils.crypto import get_random_string
> chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
> SECRET_KEY = get_random_string(50, chars)
>
> is there any problems I'm not considering here? thanks.
>
> [1]
> https://github.com/django/django/blob/master/django/core/management/commands/startproject.py
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: autogenerating SECRET_KEY every time the server runs

[John DeRosa]

When we run the development server locally, we often start with an 
already-existing database. We don't re-initialize the db unless we have to, 
because there's been a schema change or a change in the value stored in a 
table's field.

So we'd need SECRET_KEY to not change most of the time!

John

On Jun 20, 2013, at 8:29 AM, Michael Cetrulo  wrote:

> considering that the SECRET_KEY is automatically generated every time a new 
> project is created [1], wouldn't make more sense to have this logic on 
> settings.py and generate a new value when loading the app instead of saving 
> it as an actual hardcoded value there? eg:
> 
> #settings.py
> from django.utils.crypto import get_random_string
> chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
> SECRET_KEY = get_random_string(50, chars)
> 
> is there any problems I'm not considering here? thanks.
> 
> [1] 
> https://github.com/django/django/blob/master/django/core/management/commands/startproject.py
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>  
>  

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.