On Wed, 2008-11-12 at 00:12 -0200, Juanjo Conti wrote: > Is there any problem with changing my SECRET_KEY from a running project?
Searching for all uses for the word SECRET_KEY in the source of Django would have gone a fair way towards answering that question. There aren't too many things to worry about. Basically: (1) If you're using django.contrib.auth, everybody will have to log in again, as all active sessions will be seen as invalid (so if you're using sessions for something other than just recording login, all that information will be lost as well). Often this won't be a big deal. (2) If you're using Django's password recovery email feature, any existing tokens for password recovery will be treated as invalid (they just won't work) and those people will have to re-request to reset their password. (3) The setting is also used in formtools (for the form wizard) and the CSRF middleware, but both of those effects have very short lifetime. So, yes, anybody using a multi-part form submission via form-wizard will have to start again and anybody submitting a form that they loaded before the change and submitted afterwards will have the CSRF middleware reject it, but if you time the rollout you can minimise the chances of that happening. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
