On Wed, 2008-11-12 at 13:29 -0500, Marty Alchin wrote: > On Tue, Nov 11, 2008 at 10:05 PM, Malcolm Tredinnick > <[EMAIL PROTECTED]> wrote: > > On Wed, 2008-11-12 at 00:12 -0200, Juanjo Conti wrote: > >> Is there any problem with changing my SECRET_KEY from a running project? > > > > Searching for all uses for the word SECRET_KEY in the source of Django > > would have gone a fair way towards answering that question. > > Also of note is that some third-party applications, like my own signed > cookies app, rely on SECRET_KEY for other uses. I can't speak for > other apps, but if you're using signed cookies, all cookies that were > signed with the old SECRET_KEY will be rejected as invalid with the > new one.
Which is really another reason why searching sources is the way to answer this question for the original poster. Fortunately, your usage also falls under the case of transient inconvenience: current signed cookies won't be validated and will haev to be recreated. This has made me think that I hope nobody ever does anything like using the secret key to store permanent information in the database that is required for all time and cannot be recovered without the key. It must be possible to change the SECRET_KEY setting for security reasons (it could leak; employees with access could change, etc). We should probably document this. This is kind of obvious when you spend a minute thinking about it, but "thinking about it" isn't always a strong point in software design. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
