[TurboGears] Re: Fwd: [cherrypy-devel] Re: Sessions and cookies

[Jeff Watkins]

Only the IdentityProvider base class uses this code (in the event that a *real* provider doesn't support per user secret tokens). The SqlObjectProvider generates a unique secret token for each user, which is stored in the database. In addition, I've take Jorge's advise and moved to using datatime.now() rather than time(), because it resolves down to the microsecond. Good luck guessing the exact microsecond the user's secret token was generated. On 3 Dec, 2005, at 7:50 am, Evan Monroig wrote: 'p' wrote: Given that you do this: self._secretToken= sha.new(str(time.time())).hexdigest() Hi, if you really do this in Turbogears, then it is possible to reproduce the hash if you approximately know the time when it was generated... Wouldn't it be possible to use some kind of more random function for that ? --  Jeff Watkins http://newburyportion.com/ Computers, they're just a fad.