cookie_secret breaks authentication?
38 views
Skip to first unread message
Kai H.
Oct 14, 2012, 1:29:49 PM10/14/12
to turbo...@googlegroups.com
Hello,
i have a project with standard-tg authentication running with TG 2.2.
Accidentally i just found these lines in my app_cfg.py
So i changed that string to something else. The curious thing is, that afterwards i could not login with some of the existing users, but could login with some others. Some efforts like deleting cookies or changing passwords did not work. So i changed it again to "ChangeME" and now its fine - well, actually not cause i want a secure app ;)
What does this cookie secret actually do? How can i change the secret without breaking the authentication? Are there any restrictions for the secret-string?
Thanks in advance.
Kai
i have a project with standard-tg authentication running with TG 2.2.
Accidentally i just found these lines in my app_cfg.py
# YOU MUST CHANGE THIS VALUE IN PRODUCTION TO SECURE YOUR APP
base_config.sa_auth.cookie_secret = "ChangeME"
So i changed that string to something else. The curious thing is, that afterwards i could not login with some of the existing users, but could login with some others. Some efforts like deleting cookies or changing passwords did not work. So i changed it again to "ChangeME" and now its fine - well, actually not cause i want a secure app ;)
What does this cookie secret actually do? How can i change the secret without breaking the authentication? Are there any restrictions for the secret-string?
Thanks in advance.
Kai
Kai H.
Oct 14, 2012, 2:32:46 PM10/14/12
to turbo...@googlegroups.com
Oh, one thing to be more specific.
That means that it says "Wrong credentials" for some users (for the correct credentials), but not for all of them. I know that sounds weird, but thats why i'm asking ;)
The curious thing is, that afterwards i could not login with some of the existing users, but could login with some others.
That means that it says "Wrong credentials" for some users (for the correct credentials), but not for all of them. I know that sounds weird, but thats why i'm asking ;)
Michael Pedersen
Oct 15, 2012, 10:30:14 PM10/15/12
to turbo...@googlegroups.com
The cookie_secret is used in the generation of the HMAC in the
authentication ticket that gets sent down in the cookie. In other
words, simply logging in again should fix it. You shouldn't even have
to reset the password, since it doesn't get used anywhere except in
that.
Can you see any pattern in the failures? Are there any common
characters? I know that, at one point, usernames could not contain
spaces. Are there any other special characters you can see? How about
in the passwords?
My bet is that we have an interaction we don't even know about between
the usernames and cookie secret. If you can find a pattern, we can fix
it.
> --
> You received this message because you are subscribed to the Google Groups
> "TurboGears" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/turbogears/-/bNd3U38xWt8J.
>
> To post to this group, send email to turbo...@googlegroups.com.
> To unsubscribe from this group, send email to
> turbogears+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/turbogears?hl=en.
--
Michael J. Pedersen
My Online Resume: http://www.icelus.org/ -- Google+ http://plus.ly/pedersen
Google Talk: m.ped...@icelus.org -- Twitter: pedersentg
authentication ticket that gets sent down in the cookie. In other
words, simply logging in again should fix it. You shouldn't even have
to reset the password, since it doesn't get used anywhere except in
that.
Can you see any pattern in the failures? Are there any common
characters? I know that, at one point, usernames could not contain
spaces. Are there any other special characters you can see? How about
in the passwords?
My bet is that we have an interaction we don't even know about between
the usernames and cookie secret. If you can find a pattern, we can fix
it.
> You received this message because you are subscribed to the Google Groups
> "TurboGears" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/turbogears/-/bNd3U38xWt8J.
>
> To post to this group, send email to turbo...@googlegroups.com.
> To unsubscribe from this group, send email to
> turbogears+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/turbogears?hl=en.
--
Michael J. Pedersen
My Online Resume: http://www.icelus.org/ -- Google+ http://plus.ly/pedersen
Google Talk: m.ped...@icelus.org -- Twitter: pedersentg
Reply all
Reply to author
Forward
0 new messages