On 12/11/05, Anil Gangolli <[EMAIL PROTECTED]> wrote: > > > While fixing the login-redirect.jsp issue, I noticed some keys in the > security.xml. > > We probably should be telling installing admins to change the keys to > their own site-specific values from the values in the distribution in > the security.xml after installing.
Yes, I definitely agree with this. These keys are used as the "salt" when doing SHA or MD5 encryption. We could also parse and randomify them at build time. The good news is that changing them invalidates ones that've been handed out. We could also make them loaded from the database if necessary. I haven't checked the Acegi code yet, but my fear is that RememberMe > cookies might be forged with knowledge of these keys. Yes, this is true. Matt > >
