This was discussed previously on the list, but having a random string would be a bad idea, especially if you do some kind of load balancing between servers (e.g. server1 would get a different passphrase from server2, and server 2 will not want to process form submissions from server 1).
I don't think the hmac passphrase does anything to change your session expiration. Cheers - Alex K On Wed, Nov 21, 2012 at 4:13 PM, TG <tapestry...@hotmail.com> wrote: > Error message is "The symbol 'tapestry.hmac-passphrase' has not been > configured. This is used to configure hash-based message authentication of > Tapestry data stored in forms, or in the URL. You application is less > secure, and more vulnerable to denial-of-service attacks, when this symbol > is not configured. > " > > We just want to get rid of the above message. > > If we add the following (copied from one of the user's reply at > http://tapestry.1045711.n5.nabble.com/hmac-sample-td5716873.html - > > configuration.add(SymbolConstants.HMAC_PASSPHRASE, new > BigInteger(130, new SecureRandom()).toString(32)); > > The session timeout frequentlly, as soon as less than 1 minute with error > message like your HMAC id is different from whatever, which is not helpfui > as the users are still working on the form. We need to fill out a lot of > information in the HTML form, before submitting :) > > > > -- > View this message in context: > http://tapestry.1045711.n5.nabble.com/Disabling-HMAC-check-tp5718156p5718163.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
