You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by Anil Gangolli <an...@busybuddha.org> on 2005/12/11 17:30:54 UTC

keys in security.xml

While fixing the login-redirect.jsp issue, I noticed some keys in the 
security.xml.

We probably should be telling installing admins to change the keys to 
their own site-specific values from the values in the distribution in 
the security.xml after installing.

I haven't checked the Acegi code yet, but my fear is that RememberMe 
cookies might be forged with knowledge of these keys.

Matt?

--a.

Re: keys in security.xml

Posted by Matt Raible <mr...@gmail.com>.

On 12/11/05, Anil Gangolli <an...@busybuddha.org> wrote:
>
>
> While fixing the login-redirect.jsp issue, I noticed some keys in the
> security.xml.
>
> We probably should be telling installing admins to change the keys to
> their own site-specific values from the values in the distribution in
> the security.xml after installing.

Yes, I definitely agree with this.  These keys are used as the "salt" when
doing SHA or MD5 encryption.  We could also parse and randomify them at
build time.  The good news is that changing them invalidates ones that've
been handed out.  We could also make them loaded from the database if
necessary.

I haven't checked the Acegi code yet, but my fear is that RememberMe
> cookies might be forged with knowledge of these keys.

Yes, this is true.

Matt

>
>