$0 can be changed by anything in the process or when starting the process, it is not a reliable identifier. Whether you expect the running username to stay the same is up to you. Regardless none of these can be expected to stay constant as a default for Mojolicious to set, as one may serve a web application from multiple servers even. So it is up to the user how to set secrets.
On Mon, Apr 17, 2017 at 3:07 PM, iaw4 <[email protected]> wrote: > > > On Monday, April 17, 2017 at 1:46:22 PM UTC-5, Dan Book wrote: >> >> You also need to make sure the secret does not change, as that will >> invalidate all current sessions. $0 or $$ or anything like that are not >> good ideas to use for that reason. To change the secret over time you >> should do secret rotation as detailed here: https://metacpan.org/pod >> /Mojolicious#secrets >> >> On Mon, Apr 17, 2017 at 2:39 PM, ivo welch <[email protected]> >> wrote: >> >>> >>> machine-id is a secret that is machine unique. unless an outsider has >>> local access to the machine, this should remain a secret. moreover, by >>> salting it with something else (e.g., $0 [or, perhaps, the local users' >>> encrypted password), even if the machine-id were leaked, it would not leak >>> further. I am using >>> >>> my $midf= (-e "/usr/local/var/lib/dbus/machine-id") ? >>> "/usr/local/var/lib/dbus/machine-id" : "/etc/machine-id"; >>> app->secrets(md5_base64($midf.$0)); >>> >>> I am presuming that this is good enough practice. >>> >>> /iaw >>> >>> > rotation = good advice, thank you. > > $$ would indeed be a bad idea, but I think $0 should remain steady (or > perhaps $0 =~ s{*/}{}). together with the machine-id and perhaps the > running username, this should remain steady. > > -- > You received this message because you are subscribed to the Google Groups > "Mojolicious" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/mojolicious. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
