Re: What happens when secret key is lost?

2014-05-21 Thread Tim Chase
On 2014-05-21 16:44, Erik Romijn wrote: > > Could you elaborate on how such remote-code execution would > > happen? > > If you use Django's cookie-based sessions[1], knowledge of the > SECRET_KEY allows an attacker to forge a cookie with session data. > Forging sessions is bad enough, but if

Re: What happens when secret key is lost?

2014-05-21 Thread Erik Romijn
On 20 May 2014, at 22:27, Tim Chase wrote: >> And yes, it is very important to keep it secret. The worst case >> scenario for secret key leakage, in particular configurations, is >> arbitrary remote code execution. > > Could you elaborate on how such remote-code

Re: What happens when secret key is lost?

2014-05-21 Thread Henning Sprang
Hi Erik, On Tue, May 20, 2014 at 8:34 PM, Erik Romijn wrote: > ... > If it were used for that, that would indeed be the scenario. Fortunately, > it's not. Good to know :) > There is a current ticket open on documenting exactly this question: >

Re: What happens when secret key is lost?

2014-05-20 Thread Erik Cederstrand
Den 20/05/2014 kl. 20.40 skrev Henning Sprang : > Also, if it should be kept secret, I guess it's safe to assume that > using an online generator like > https://djskgen.herokuapp.com/ is not the smartest idea one can come > up with, right? You can use any random string,

Re: What happens when secret key is lost?

2014-05-20 Thread Tim Chase
On 2014-05-20 21:34, Erik Romijn wrote: > > The question is, what happens when I lose it - when it's used for > > password hash salt, doesn't that mean if it's lost, all users > > have to reset their password, don't they? > > If it were used for that, that would indeed be the scenario. >

Re: What happens when secret key is lost?

2014-05-20 Thread Erik Romijn
Hello Henning, On 20 May 2014, at 20:40, Henning Sprang wrote: > The question is, what happens when I lose it - when it's used for > password hash salt, doesn't that mean if it's lost, all users have to > reset their password, don't they? If it were used for that, that

What happens when secret key is lost?

2014-05-20 Thread Henning Sprang
Hi, I developed quite a bit in Django already, but only now I am the first time responsible for putting something into real production use. So I work through the deployment checklist, and it says the secret key must be kept super secret. One example shows how to set it as environment variable.