On Monday, April 17, 2017 at 1:46:22 PM UTC-5, Dan Book wrote:
>
> You also need to make sure the secret does not change, as that will
> invalidate all current sessions. $0 or $$ or anything like that are not
> good ideas to use for that reason. To change the secret over time you
> should do secret rotation as detailed here:
> https://metacpan.org/pod/Mojolicious#secrets
>
> On Mon, Apr 17, 2017 at 2:39 PM, ivo welch <[email protected]
> <javascript:>> wrote:
>
>>
>> machine-id is a secret that is machine unique. unless an outsider has
>> local access to the machine, this should remain a secret. moreover, by
>> salting it with something else (e.g., $0 [or, perhaps, the local users'
>> encrypted password), even if the machine-id were leaked, it would not leak
>> further. I am using
>>
>> my $midf= (-e "/usr/local/var/lib/dbus/machine-id") ?
>> "/usr/local/var/lib/dbus/machine-id" : "/etc/machine-id";
>> app->secrets(md5_base64($midf.$0));
>>
>> I am presuming that this is good enough practice.
>>
>> /iaw
>>
>>
rotation = good advice, thank you.
$$ would indeed be a bad idea, but I think $0 should remain steady (or
perhaps $0 =~ s{*/}{}). together with the machine-id and perhaps the
running username, this should remain steady.
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
