Luke Plant wrote:
So I feel quite strongly that we should fix this code to use
salted_hmac. (Or fix salted_hmac if there is some problem with it, but
remembering that there is lots of data that depends on it).

I updated the patch and changed the way the hashes are generated. We now use the salted_hmac method.

The SECRET_KEY is still in the get_cookie_signer() method because we add a prefix to the secret. If we want to remove the settings.SECRET_KEY in get_cookie_signer() too, we have to add some kind of a optional secret_prefix to salted_hmac.

  http://code.djangoproject.com/attachment/ticket/12417/ticket12417-v5.diff

Looking forward to any comments!

Cheers,

Stephan

--
You received this message because you are subscribed to the Google Groups "Django 
developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Reply via email to