#2282: Authentication and authorization settings should be customizable on
deployment
------------------------+---------------------------------------------------
Reporter: kikidonk | Owner: Gustavo
Type: defect | Status: assigned
Priority: high | Milestone: 2.1
Component: TurboGears | Version: trunk
Severity: critical | Resolution:
Keywords: auth |
------------------------+---------------------------------------------------
Comment (by kikidonk):
I was referring to the AuthTkt cookie secret, which is not set by anything
in turbogears be it in prod or in devel mode.
This means that you can spoof any identity of a website using TG2 if you
know a valid username and you use the default 'secret' secret string to
compute the hash value.
The fix as i said in the description is to have a line:
{{{
self.sa_auth.cookie_secret = "mysecret"
}}}
in your app_cfg.py file so that the auth-tkt secret is inited properly
--
Ticket URL: <http://trac.turbogears.org/ticket/2282#comment:6>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
