On Fri, Jan 04, 2013 at 09:04:52AM +0100, Vít Ondruch wrote: ... > However, what is more important is, that since your application secret token > is not that secret, i.e. it is published on github [2], cookies of Aeolus > could be faked [3]. Katello seems to do better in this area [4] (although it > was just quick look into code, not security audit :)). Please consider > narrowing this situation. > ... > [2] > https://github.com/aeolusproject/conductor/blob/master/src/config/initializers/secret_token.rb#L23 > [3] > http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason > [4] > https://github.com/Katello/katello/blob/master/src/config/initializers/secret_token.rb
I suggest that Conductor should deal with the token the exactly same way Katello does. See no problem in their approach. Objections? -- Martin Povolny <[email protected]> tel. +420777714458
