Hi, I hope I am not just overlooking something and therefore directing the following to the right list. I noticed a few things from having just deployed symfony app [1]:
1) there are several things I of course cannot hide in OSS code using symfony that the "project:deploy" task should automatically replace with production settings: for example the database password, the csrf secret. It might make sense to think about how to make this sort of thing easy. For example I could of course move the csrf_secret to a separate file that I do not rsync. However that then means that I have to embed php logic into the setting.yml, which IIRC hurts cachability? 2) the csrf protection broke after I changed the name of the cookie for the symfony session, of course I was stupid and put in the url name for the cookie name which contained a dot. maybe there should be some sanity checking here. either simply stripping that sort of thing in production, or raising a log warning when running in debug mode. 3) i think that http://symfony-check.org/ is a great idea, I know there is a deployment chapter, but I think it would be good to integrate such a check list into the official site. regards, Lukas Kahwe Smith [email protected] [1] http://pooteeweet.org/blog/1768 -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
