The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
From: Simon Willison <si...@simonwillison.net>
Date: Fri, 25 Sep 2009 04:27:53 -0700 (PDT)
Local: Fri, Sep 25 2009 7:27 am
Subject: Re: Adding signing (and signed cookies) to Django core
On Sep 25, 12:02 pm, Luke Plant <L.Plant...@cantab.net> wrote:
> In other web apps (I think Wordpress?), there have been problems
I share your concern. In the signed.py module I address your first
> associated with use of secret keys when the same key is used for > different purposes throughout the application. > ... > - we add unique prefixes to the SECRET_KEY for every different > place it is used. So for the e-mail confirmation link, we use > HMAC("email-confirmation" + SECRET_KEY, message) > - also add the ability to do SECRET_KEY rotation, as Simon > suggested. This suggests we want a utility wrapper around hmac > that looks like hmac(unique_key_prefix, key, message) and handles > all the above details for us. point by allowing an additional "extra_key" parameter: >>> signed.dumps('hello', extra_key='ultra')
'UydoZWxsbycKcDAKLg.1XYDpILo5xqSwImfa3WuJJT4RPo'
>>> signed.loads(_, extra_key='ultra')
'hello'
However, this is available on dumps and loads but not on sign and
I'm going to ask on some web security mailing list about best practice
Cheers,
Simon You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||