Should I create an issue for changes to the book? Or do you already have it notated?
On Friday, January 31, 2014 12:55:51 PM UTC-5, Massimo Di Pierro wrote: > > It should be modified. > > > On Thursday, 30 January 2014 11:35:08 UTC-6, User wrote: >> >> Ok I was confused because the books says ( >> http://www.web2py.com/book/default/chapter/09#Settings-and-messages) >> >> The following is a very important setting: >> >> auth.settings.hmac_key = None >> >> It must be set to something like "sha512:a-pass-phrase" and it will be >> passed to the CRYPT validator for the "password" field of the >> auth_usertable. It will be the algorithm and a-pass-phrase used to hash the >> passwords. >> >> Do you think the book should be modified to reflect that this is >> automatically done already? >> >> I see in a different section it says: >> >> The password field of the db.auth_user table defaults to a CRYPTvalidator, >> which needs and >> hmac_key. On legacy web2py applications you may see an extra argument >> passed to the Auth constructor: hmac_key = Auth.get_or_create_key(). The >> latter is a function that read the HMAC key from a file "private/auth.key" >> within the application folder. If the file does not exist it creates a >> random hmac_key. If multiple apps share the same auth database, make >> sure they also use the same hmac_key. This is no longer necessary for >> new applications since passwords are salted with an individual random salt. >> >> But it wasn't clear to me whether I should set it or not as the two >> sections kind of go against each other. >> >> On Thursday, January 30, 2014 8:42:37 AM UTC-5, Massimo Di Pierro wrote: >> >>> This is really not necessary since we automatically salt and hash all >>> passwords. >>> >>> On Tuesday, 28 January 2014 17:04:37 UTC-6, User wrote: >>> >>>> Is best practice to set >>>> auth.settings.hmac_key='sha512:somelongpassword'? Or is this not >>>> necessary? And if I should do it, does it need to be done before >>>> auth.define_tables? >>>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
