On Thu, Jun 20, 2013 at 4:29 PM, Michael Cetrulo <[email protected]> wrote: > considering that the SECRET_KEY is automatically generated every time a new > project is created [1], wouldn't make more sense to have this logic on > settings.py and generate a new value when loading the app instead of saving > it as an actual hardcoded value there? eg: > > #settings.py > > from django.utils.crypto import get_random_string > chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)' > SECRET_KEY = get_random_string(50, chars) > > is there any problems I'm not considering here? thanks. > > [1] > https://github.com/django/django/blob/master/django/core/management/commands/startproject.py >
SECRET_KEY is used in lots of places in django where you need a non changing salt. For instance, if you use a signed cookies as a session backend, the SECRET_KEY is used as part of the signing key. Therefore, every time you change the SECRET_KEY, you invalidate all previously signed contents. This would make it beyond useless for signing purposes. The only other use of SECRET_KEY in django itself is as the default encryption secret. Again, the same problem applies - if you change SECRET_KEY on startup, you will no longer be able to decrypt things you encrypted earlier. I don't see what benefit you are trying to get by cycling SECRET_KEY. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
