You also need to make sure the secret does not change, as that will
invalidate all current sessions. $0 or $$ or anything like that are not
good ideas to use for that reason. To change the secret over time you
should do secret rotation as detailed here:
https://metacpan.org/pod/Mojolicious#secrets

On Mon, Apr 17, 2017 at 2:39 PM, ivo welch <[email protected]>
wrote:

>
> machine-id is a secret that is machine unique.  unless an outsider has
> local access to the machine, this should remain a secret.  moreover, by
> salting it with something else (e.g., $0 [or, perhaps, the local users'
> encrypted password), even if the machine-id were leaked, it would not leak
> further.  I am using
>
> my $midf= (-e "/usr/local/var/lib/dbus/machine-id") ?
> "/usr/local/var/lib/dbus/machine-id" : "/etc/machine-id";
> app->secrets(md5_base64($midf.$0));
>
> I am presuming that this is good enough practice.
>
> /iaw
>
>
> ----
> Ivo Welch ([email protected])
> http://www.ivo-welch.info/
> J. Fred Weston Distinguished Professor of Finance
> Anderson School at UCLA, C524
> Free Finance Textbook, http://book.ivo-welch.info/
> Exec Editor, Critical Finance Review, http://www.critical-finance-
> review.org/
> Editor and Publisher, FAMe, http://www.fame-jagazine.com/
>
> On Mon, Apr 17, 2017 at 1:31 PM, Dan Book <[email protected]> wrote:
>
>> Any default would be insecure in some way. It must be set by the user to
>> some secret to avoid being guessable.
>>
>> On Mon, Apr 17, 2017 at 2:21 PM, iaw4 <[email protected]> wrote:
>>
>>>
>>> suggestion?
>>>
>>> would it make sense to set the passphrase to "moniker" encoded with the
>>> machine-id as the default, rather than stating the warning message?  is
>>> there a reason why this is not a good idea?  I see linux and osx have
>>> machine-id.  I am not sure about other OS's.
>>>
>>> of course, I can change it myself.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Mojolicious" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To post to this group, send email to [email protected].
>>> Visit this group at https://groups.google.com/group/mojolicious.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Mojolicious" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>> pic/mojolicious/qYXR_IYFTUo/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> To post to this group, send email to [email protected].
>> Visit this group at https://groups.google.com/group/mojolicious.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Mojolicious" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/mojolicious.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.

Reply via email to