Luke Plant wrote:
So I feel quite strongly that we should fix this code to use salted_hmac. (Or fix salted_hmac if there is some problem with it, but remembering that there is lots of data that depends on it).
I updated the patch and changed the way the hashes are generated. We now use the salted_hmac method.
The SECRET_KEY is still in the get_cookie_signer() method because we add a prefix to the secret. If we want to remove the settings.SECRET_KEY in get_cookie_signer() too, we have to add some kind of a optional secret_prefix to salted_hmac.
http://code.djangoproject.com/attachment/ticket/12417/ticket12417-v5.diff Looking forward to any comments! Cheers, Stephan -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
