Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2414 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

Cookie secret must be defined in configuration

Reported by: sanjiv Owned by: percious
Priority: highest Milestone: 2.1a3
Component: TurboGears Version: 2.1a1
Severity: major Keywords:
Cc:

Description

The base_config.sa_auth.cookie_secret config key must be defined for app security.

Presently the config system does not check for this resulting in default cookie secret for all apps.

The error can be reproduced as follows:

  1. Create two quickstart apps
  2. Login to the first app as manager..
  3. Without closing the browser window, stop the first app and start the second app.
  4. Refresh the page and the user remains logged on as manager in the second app too.

This issue was reported and fixed in tg2.0.3 but was not back ported to tg2.x branch.

Attached is the fix backported from tg2.0.3.

Sanjiv

Attachments

cookie_secret.diff Download (828 bytes) - added by sanjiv 5 years ago.
cookie_secret.2.diff Download (828 bytes) - added by sanjiv 5 years ago.
cookie_secret_devtools.diff Download (590 bytes) - added by sanjiv 5 years ago.

Change History

Changed 5 years ago by sanjiv

Changed 5 years ago by sanjiv

Changed 5 years ago by sanjiv

comment:1 Changed 5 years ago by sanjiv

Kindly ignore cookie_secret.2.diff . It was added by mistake.

comment:2 Changed 5 years ago by percious

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.