>
> Additionally you could provide help on how to generate such a secret (but
> that's extra candy). I have looked through various parts of the
> documentation and it is always set to something like 'seekrit' and similar,
> but it is never mentioned how to make sure that this is secure.
>
fwiw, wordpress has had this feature for a while: the docs instruct you to
visit the following url , which generates valid secret strings.
http://api.wordpress.org/secret-key/1.1/
i think most of the application scaffolds will generate a secret - but it
might be useful feature to just have a secret-key generator on
the pylonsproject.org site and referenced in the docs.
I've also generally disliked the mod_authtkt for a few years. i've opted
for an approach where the secret rotates based on the timestamp and/or
ip/other data. it's a bit harder to set up in a clustered environment, but
the tickets are HMAC with SHA512 with rotating keys. it doesn't make it
unbreakable, but just a bit more of pain to break and with some sort of
timed window before you need to break it again.
--
You received this message because you are subscribed to the Google Groups
"pylons-devel" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/pylons-devel/-/4dxNXUSoAPAJ.
To post to this group, send email to pylons-devel@googlegroups.com.
To unsubscribe from this group, send email to
pylons-devel+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-devel?hl=en.
