You also need to make sure the secret does not change, as that will invalidate all current sessions. $0 or $$ or anything like that are not good ideas to use for that reason. To change the secret over time you should do secret rotation as detailed here: https://metacpan.org/pod/Mojolicious#secrets
On Mon, Apr 17, 2017 at 2:39 PM, ivo welch <[email protected]> wrote: > > machine-id is a secret that is machine unique. unless an outsider has > local access to the machine, this should remain a secret. moreover, by > salting it with something else (e.g., $0 [or, perhaps, the local users' > encrypted password), even if the machine-id were leaked, it would not leak > further. I am using > > my $midf= (-e "/usr/local/var/lib/dbus/machine-id") ? > "/usr/local/var/lib/dbus/machine-id" : "/etc/machine-id"; > app->secrets(md5_base64($midf.$0)); > > I am presuming that this is good enough practice. > > /iaw > > > ---- > Ivo Welch ([email protected]) > http://www.ivo-welch.info/ > J. Fred Weston Distinguished Professor of Finance > Anderson School at UCLA, C524 > Free Finance Textbook, http://book.ivo-welch.info/ > Exec Editor, Critical Finance Review, http://www.critical-finance- > review.org/ > Editor and Publisher, FAMe, http://www.fame-jagazine.com/ > > On Mon, Apr 17, 2017 at 1:31 PM, Dan Book <[email protected]> wrote: > >> Any default would be insecure in some way. It must be set by the user to >> some secret to avoid being guessable. >> >> On Mon, Apr 17, 2017 at 2:21 PM, iaw4 <[email protected]> wrote: >> >>> >>> suggestion? >>> >>> would it make sense to set the passphrase to "moniker" encoded with the >>> machine-id as the default, rather than stating the warning message? is >>> there a reason why this is not a good idea? I see linux and osx have >>> machine-id. I am not sure about other OS's. >>> >>> of course, I can change it myself. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Mojolicious" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/mojolicious. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Mojolicious" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/mojolicious/qYXR_IYFTUo/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/mojolicious. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Mojolicious" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/mojolicious. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
