On 2014-05-20 21:34, Erik Romijn wrote: > > The question is, what happens when I lose it - when it's used for > > password hash salt, doesn't that mean if it's lost, all users > > have to reset their password, don't they? > > If it were used for that, that would indeed be the scenario. > Fortunately, it's not. > > There is a current ticket open on documenting exactly this > question: https://code.djangoproject.com/ticket/22310. I'd worked > through most of it but somehow lost my changes. > > From memory, and without review by a second pair of eyes, I believe > the effects are limited to: > - All currently existing sessions are invalidated. > - All password reset tokens are invalidated. > - All form previews in progress require an additional confirmation. > - All form wizards in progress are reset, and if using the cookie > backend for form wizards, this may lead to exceptions. > > Also, any third party packages or any of your own code that uses > the secret key may be affected. Notably not affected (in Django > itself) are user passwords, and general content in the database.
Thanks for the concise summary. I've researched this on my own in the past enough to know that passwords weren't impacted, and session tokens were invalid, but the others didn't register to me when I grepped the code-base. > And yes, it is very important to keep it secret. The worst case > scenario for secret key leakage, in particular configurations, is > arbitrary remote code execution. Could you elaborate on how such remote-code execution would happen? Thanks, -Tim -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20140520152727.754c92c2%40bigbox.christie.dr. For more options, visit https://groups.google.com/d/optout.
