On 10/03/2011 01:05 AM, Paul McMillan wrote:
Isn't there also the possibility that the attacker can somehow get arbitrary
data signed into the session cookie without knowing SECRET_KEY?
That's not a viable attack route. It's much less likely than a
developer exposing their SECRET_KEY.
Now that I have read most of the code related to this. I must say the
above is true.
The biggest risk that comes to mind is doing a quick little demo
project, left it running somewhere publicly while also releasing the
source code of that demo project. You might not care about the data you
have in that demo, so having SECRET_KEY revealed doesn't sound that bad.
For example I have done exactly the above, though only to internally
available machine here at work. If I was using cookie backend, that
would mean I also gave remote shell rights to my box which doesn't sound
nice. I wonder if I am the only one who has done that.
On the other hand having my user account's password accidentally
revealed means also remote shell, so in that way there is no big
difference here...
- Anssi
--
You received this message because you are subscribed to the Google Groups "Django
developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
