On 2014-05-21 16:44, Erik Romijn wrote:
> > Could you elaborate on how such remote-code execution would
> > happen?
>
> If you use Django's cookie-based sessions[1], knowledge of the
> SECRET_KEY allows an attacker to forge a cookie with session data.
> Forging sessions is bad enough, but if
On 20 May 2014, at 22:27, Tim Chase wrote:
>> And yes, it is very important to keep it secret. The worst case
>> scenario for secret key leakage, in particular configurations, is
>> arbitrary remote code execution.
>
> Could you elaborate on how such remote-code
Hi Erik,
On Tue, May 20, 2014 at 8:34 PM, Erik Romijn wrote:
> ...
> If it were used for that, that would indeed be the scenario. Fortunately,
> it's not.
Good to know :)
> There is a current ticket open on documenting exactly this question:
>
Den 20/05/2014 kl. 20.40 skrev Henning Sprang :
> Also, if it should be kept secret, I guess it's safe to assume that
> using an online generator like
> https://djskgen.herokuapp.com/ is not the smartest idea one can come
> up with, right?
You can use any random string,
On 2014-05-20 21:34, Erik Romijn wrote:
> > The question is, what happens when I lose it - when it's used for
> > password hash salt, doesn't that mean if it's lost, all users
> > have to reset their password, don't they?
>
> If it were used for that, that would indeed be the scenario.
>
Hello Henning,
On 20 May 2014, at 20:40, Henning Sprang wrote:
> The question is, what happens when I lose it - when it's used for
> password hash salt, doesn't that mean if it's lost, all users have to
> reset their password, don't they?
If it were used for that, that
Hi,
I developed quite a bit in Django already, but only now I am the first
time responsible for putting something into real production use.
So I work through the deployment checklist, and it says the secret key
must be kept super secret. One example shows how to set it as
environment variable.
7 matches
Mail list logo