On Wednesday, March 23, 2016 at 1:22:27 AM UTC-4, Massimo Di Pierro wrote: > > It is but make sure you do not expose the welcome app. That app exposes > (as an example) the state of the system, which includes your secret key. > The next we2py version (this week, I promise) will prevent that. >
Do you mean the *examples* app rather than the *welcome* app? If so, my understanding is that it exposes the cookie_key of the examples app itself, not the cookie_keys of any other apps -- so the risk is not that the session data of other apps will be compromised but that there is a different vulnerability via the examples app (which is therefore a risk of any installation, regardless of the type of sessions used in other apps), no? Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
