ps There's a bit I wrote on how the tokens work in php-shindig (& partuza) on my blog: http://www.chabotc.com/partuza/about-partuza-and-shindig-security-tokens/
The default *encrypted* security token is considered production-safe, and is actually used in production for quite some sites. Just make sure you turn off the 'allow_plaintext_tokens' in your shindig/php/config/container.php file and your good to go. -- Chris On Fri, Mar 13, 2009 at 5:38 PM, Louis Ryan <[email protected]> wrote: > Sorry, I should have been more specific, the Java BasicSecurityToken should > not be used. The BlobCrypterSecurityToken is the equivalent in Java of > turning the plaintext token off in PHP, the systems are just configured > differently. In Java you use Guice to do it. aes128 is plenty strong > enough. > On Thu, Mar 12, 2009 at 11:53 PM, Attila Nagy > <[email protected]>wrote: > > > Luis, Chris, > > > > On Thu, Mar 12, 2009 at 5:39 PM, Louis Ryan <[email protected]> wrote: > > > The BasicSecurityToken class used in the Shindig samples should not be > > used in real life. > > > > What's the case for this in php-shindig? As I see, the php > > implementation does aes128 encryption when plaintext token is turned > > off. What are the concerns about this token class? > > > > -- > > Nagy Attila Gabor > > >
