You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Anil Gangolli <an...@busybuddha.org> on 2005/12/11 17:30:54 UTC
keys in security.xml
While fixing the login-redirect.jsp issue, I noticed some keys in the
security.xml.
We probably should be telling installing admins to change the keys to
their own site-specific values from the values in the distribution in
the security.xml after installing.
I haven't checked the Acegi code yet, but my fear is that RememberMe
cookies might be forged with knowledge of these keys.
Matt?
--a.
Re: keys in security.xml
Posted by Matt Raible <mr...@gmail.com>.
On 12/11/05, Anil Gangolli <an...@busybuddha.org> wrote:
>
>
> While fixing the login-redirect.jsp issue, I noticed some keys in the
> security.xml.
>
> We probably should be telling installing admins to change the keys to
> their own site-specific values from the values in the distribution in
> the security.xml after installing.
Yes, I definitely agree with this. These keys are used as the "salt" when
doing SHA or MD5 encryption. We could also parse and randomify them at
build time. The good news is that changing them invalidates ones that've
been handed out. We could also make them loaded from the database if
necessary.
I haven't checked the Acegi code yet, but my fear is that RememberMe
> cookies might be forged with knowledge of these keys.
Yes, this is true.
Matt
>
>