On Jan 8, 2007, at 2:23 PM, Paul Johnston wrote:
Hi,
I don't know for sure, but I believe it's a HMAC. For ASP.NET it
seems the HMAC key is a per-server secret (with hooks for
syncronising this in a cluster). I actually think that is a
weakness and a per-session key would be preferable.
So... would encrypting the contents of the state hidden fields
securely (probably using sessions or something to store per-session
secrets) make them safely unpickable? This is something that I might
implement in toscawidgets... it already uses middleware to serve
static files and registering the "framework" object into a multiple-
app-per-process-safe module-global so I guess it wouldn't be too hard
to make it send a widget_cookie or something to handle this kind of
state passing...
Another thing to consider is cross-site request forgeries (CSRF).
Ideally the widgets forms would come with built-in protection.
There was a ticket at the Trac for that: http://trac.turbogears.org/
ticket/547
At some point I am hoping to do a security audit of TG. Right now
though, I have other priorities, namely getting my app working! :-)
A security audit would be something we'll all appreciate much! :)
Alberto
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
