Hello Henning, On 20 May 2014, at 20:40, Henning Sprang <henning.spr...@gmail.com> wrote: > The question is, what happens when I lose it - when it's used for > password hash salt, doesn't that mean if it's lost, all users have to > reset their password, don't they?
If it were used for that, that would indeed be the scenario. Fortunately, it's not. There is a current ticket open on documenting exactly this question: https://code.djangoproject.com/ticket/22310. I'd worked through most of it but somehow lost my changes. >From memory, and without review by a second pair of eyes, I believe the >effects are limited to: - All currently existing sessions are invalidated. - All password reset tokens are invalidated. - All form previews in progress require an additional confirmation. - All form wizards in progress are reset, and if using the cookie backend for form wizards, this may lead to exceptions. Also, any third party packages or any of your own code that uses the secret key may be affected. Notably not affected (in Django itself) are user passwords, and general content in the database. > Also, if it should be kept secret, I guess it's safe to assume that > using an online generator like > https://djskgen.herokuapp.com/ is not the smartest idea one can come > up with, right? I would not recommend using such a service. Although it's probably not malicious, there is no reason to use this either. Remember also that the secret key has no particular format. Any random string, e.g. one that you may get from a password manager, can be used. And yes, it is very important to keep it secret. The worst case scenario for secret key leakage, in particular configurations, is arbitrary remote code execution. cheers, Erik -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/85EEF3AC-9BEB-41F8-AD31-C6BF3D3FFFD7%40solidlinks.nl. For more options, visit https://groups.google.com/d/optout.
