Hi, I don't know for sure, but I believe it's a HMAC. For ASP.NET it seems the HMAC key is a per-server secret (with hooks for syncronising this in a cluster). I actually think that is a weakness and a per-session key would be preferable.
Another thing to consider is cross-site request forgeries (CSRF). Ideally the widgets forms would come with built-in protection. At some point I am hoping to do a security audit of TG. Right now though, I have other priorities, namely getting my app working! :-) Paul Indeed. Any hints on how they implemented that? We can use HMAC for the
crypto part, it is available at the standard library...
--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
