#2282: TG2 with auth_tkt authentication uses default secret
------------------------+---------------------------------------------------
Reporter: kikidonk | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 2.0rc1
Component: TurboGears | Version: trunk
Severity: major | Keywords:
------------------------+---------------------------------------------------
A TG2 quickstarted project will be setup to use auth_tkt mechanism, and
sqlalchemy as backend to fetch users.
The cookie contains an encrypted hash with a secret key that is by default
'secret'. This means that one could change the userid of an exising cookie
an recompute a new cookie to be able to be authentified as any user.
The fix for that is to pass 'cookie_secret' option to the repoze.who
module.
One way to do this is:
self.sa_auth.cookie_secret = "mysecret"
in config/app_cfg.py
It seems weird to me to have this key in the python file, since it's more
deployment-specific rather than application specific, much like the
beaker.session.secret. It might be worth either using the
beaker.session.secret key value or be able to define it in the .ini config
file
--
Ticket URL: <http://trac.turbogears.org/ticket/2282>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
