----- Original Message ----- > On Fri, Jan 04, 2013 at 09:04:52AM +0100, Vít Ondruch wrote: > ... > > However, what is more important is, that since your application > > secret token > > is not that secret, i.e. it is published on github [2], cookies of > > Aeolus > > could be faked [3]. Katello seems to do better in this area [4] > > (although it > > was just quick look into code, not security audit :)). Please > > consider > > narrowing this situation. > > > ... > > [2] > > https://github.com/aeolusproject/conductor/blob/master/src/config/initializers/secret_token.rb#L23 > > [3] > > http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason > > [4] > > https://github.com/Katello/katello/blob/master/src/config/initializers/secret_token.rb > > I suggest that Conductor should deal with the token the exactly same > way Katello > does. See no problem in their approach. > > Objections? > > -- > Martin Povolny <[email protected]> > tel. +420777714458 >
+1 -- if you take this on, please include a patch to 'do the right thing' in configure. m
