> > but you do have a number of places using unadorned SHA1 > (including one where I'm really *not* sure why you're *not* using HMAC > see DefaultHelpers::_csrf_token) >
The CSRF token just needs to be a reasonably random value, the hash algorithm is irrelevant. -- sebastian -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
