The warning is accurate. Disabling session.secure() is not a good idea. Admin and appadmin should not be used without SSL or your admin cookies can be stolen and used to gain remote access to your web application.
Massimo On Feb 2, 3:17 pm, Anthony <abasta...@gmail.com> wrote: > The DotCloud deployment tutorial for web2py > (http://docs.dotcloud.com/static/tutorials/web2py/) includes the following > warning. Is this accurate? If so, can we offer a simple fix? > > When deploying third-party web2py appliances, you should switch from the > default Sqlite backend to PostgreSQL or MySQL. This is generally done by > editing “application/<appname>/models/db.py”, as shown above. > > However, you will probably hit the following problems: > > - the DAL (Data Abstraction Layer) does not quote properly table names > when creating SQL schemas – therefore, if some application defines a model > named “user” (which happens, well, almost all the time!), the schema > creation will fail; > - some applications (like PyPress) ship with a Sqlite database, > containing the database schema and some preloaded data – but when you > switch > to another database, the schema is not always fully re-created, and the > data > is not migrated (leaving the application in a semi-usable state). > > This is not related to DotCloud: you will experience the same issues when > running web2py on your local computer with a PostgreSQL database. > > Also, it recommends the following to disable secure session cookies for > remote non-SSL connections to admin -- is that a good idea? > > By default, web2py will allow admin connections only if you are connecting > from localhost or through SSL. We will allow remote, non-SSL connections by > commenting out a single line of code: > > web2py$ sed -i 's/session.secure()/pass # Do not setup secure cookie/' \ > applications/admin/models/access.py > > Please review the rest of the tutorial too, and if any changes are > necessary, I'll let them know. > > Thanks. > > Anthony
