- **summary**: improve session cookie handling --> improve session cookie handling NEEDS CONFIG CHANGES - **Comment**:
for deployment/changelog: - add `session.jwt_secret_keys` to .ini file, with a value `python -c 'import secrets; print(secrets.token_hex());'` - `session.type = cookie` is no longer used - optionally `session.read_original_format = true` and rename `session.validate_key` to `session.original_format_validate_key` for backwards compatibility. Remove after a transition period - optionally `session.write_original_format = true` if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code. --- ** [tickets:#8526] improve session cookie handling NEEDS CONFIG CHANGES** **Status:** in-progress **Milestone:** unreleased **Labels:** security **Created:** Wed Nov 15, 2023 07:48 PM UTC by Dave Brondsema **Last Updated:** Wed Nov 15, 2023 07:48 PM UTC **Owner:** Dave Brondsema Main thing is to move away from pickle, but we can also implement stronger keys, support key rotation, etc. --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
