Hello,

i have a project with standard-tg authentication running with TG 2.2.

Accidentally i just found these lines in my app_cfg.py

# YOU MUST CHANGE THIS VALUE IN PRODUCTION TO SECURE YOUR APP

So i changed that string to something else. The curious thing is, that
afterwards i could not login with some of the existing users, but could
login with some others. Some efforts like deleting cookies or changing
passwords did not work. So i changed it again to "ChangeME" and now its
fine - well, actually not cause i want a secure app ;)

What does this cookie secret actually do? How can i change the secret
without breaking the authentication? Are there any restrictions for the
secret-string?

Thanks in advance.

Kai

Oh, one thing to be more specific.

The curious thing is, that afterwards i could not login with some of the

That means that it says "Wrong credentials" for some users (for the correct
credentials), but not for all of them. I know that sounds weird, but thats
why i'm asking ;)

The cookie_secret is used in the generation of the HMAC in the
authentication ticket that gets sent down in the cookie. In other
words, simply logging in again should fix it. You shouldn't even have
to reset the password, since it doesn't get used anywhere except in
that.

Can you see any pattern in the failures? Are there any common
characters? I know that, at one point, usernames could not contain
spaces. Are there any other special characters you can see? How about
in the passwords?

My bet is that we have an interaction we don't even know about between
the usernames and cookie secret. If you can find a pattern, we can fix
it.

--
Michael J. Pedersen
My Online Resume: http://www.icelus.org/ -- Google+ http://plus.ly/pedersen
Google Talk: m.peder...@icelus.org -- Twitter: pedersentg