If this is the case it is a bug with the hmac implementation in Python. I will double check.
Massimo On Aug 23, 5:57 pm, "mr.freeze" <nat...@freezable.com> wrote: > I have a strange situation and I know virtually nothing about > cryptography. I am passing a key to my auth password requires > statement after the recent discussion on security strength like so: > > if "login" in request.args: > t.password.requires = [CRYPT(key='mykey')] > else: > t.password.requires = [IS_STRONG(upper=1,number=1,special=1),CRYPT > (key='mykey')] > > Here's the weird part: I have a dev server and a production server > that are both running web2py and pointed to the same MySQL database. > If I reset a user password from the dev server (retrieve_password), I > can only log in from the dev server after that. The same is true for > the production machine. Resetting from the production server reverses > the situation. > > I have stepped through the code and verified that at line 779 in > tools.py user[passfield] is indeed different than form.vars.get > (passfield, '') (both look like valid password hashes) so user = None, > and thus login fails. > > All I can figure is that the encryption is bound to the machine that > generated the password hash. I'm using the same version of Python and > web2py. Can someone verify or explain? > > As always, thanks for your help. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
