Hi,

I hope I am not just overlooking something and therefore directing the 
following to the right list.
I noticed a few things from having just deployed symfony app [1]:

1) there are several things I of course cannot hide in OSS code using symfony 
that the "project:deploy" task should automatically replace with production 
settings:
for example the database password, the csrf secret. It might make sense to 
think about how to make this sort of thing easy. For example I could of course 
move the csrf_secret to a separate file that I do not rsync. However that then 
means that I have to embed php logic into the setting.yml, which IIRC hurts 
cachability?

2) the csrf protection broke after I changed the name of the cookie for the 
symfony session, of course I was stupid and put in the url name for the cookie 
name which contained a dot. maybe there should be some sanity checking here. 
either simply stripping that sort of thing in production, or raising a log 
warning when running in debug mode.

3) i think that http://symfony-check.org/ is a great idea, I know there is a 
deployment chapter, but I think it would be good to integrate such a check list 
into the official site.

regards,
Lukas Kahwe Smith
[email protected]

[1] http://pooteeweet.org/blog/1768

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en

Reply via email to