kallithea Changeset - c9ca7fa55b0d

Changeset - c9ca7fa55b0d

Parent rev.

Child rev.

[Not reviewed]

beta

0 3 0

Marcin Kuzminski - 12 years ago 2013-06-07 19:23:20
marcin@python-works.com

Fill session cookie secret with random generated app_uuid.
By default this setup is much more secure since it uses
SignedCookies instead of plain ones

3 files changed with 12 insertions and 6 deletions:

development.ini

production.ini

rhodecode/config/deployment.ini_tmpl

0 comments (0 inline, 0 general)

development.ini

➞

Show inline comments

@@ @@ -248,99 +248,101 @@ celery.always.eager = false @@
 beaker.cache.data_dir=%(here)s/data/cache/data
 beaker.cache.lock_dir=%(here)s/data/cache/lock
 beaker.cache.regions=super_short_term,short_term,long_term,sql_cache_short,sql_cache_med,sql_cache_long
 beaker.cache.super_short_term.type=memory
 beaker.cache.super_short_term.expire=10
 beaker.cache.super_short_term.key_length = 256
 beaker.cache.short_term.type=memory
 beaker.cache.short_term.expire=60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type=memory
 beaker.cache.long_term.expire=36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type=memory
 beaker.cache.sql_cache_short.expire=10
 beaker.cache.sql_cache_short.key_length = 256
 beaker.cache.sql_cache_med.type=memory
 beaker.cache.sql_cache_med.expire=360
 beaker.cache.sql_cache_med.key_length = 256
 beaker.cache.sql_cache_long.type=file
 beaker.cache.sql_cache_long.expire=3600
 beaker.cache.sql_cache_long.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## The storage uses the Container API
 ## that is also used by the cache system.
 ## db session ##
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/rhodecode
 #beaker.session.table_name = db_session
 ## encrypted cookie client side session, good for many instances ##
 #beaker.session.type = cookie
 ## file based cookies (default) ##
 #beaker.session.type = file
 beaker.session.key = rhodecode
 beaker.session.secret = ${app_instance_uuid}
 beaker.session.key = rhodecode
 ## secure cookie requires AES python libraries
 ## Secure encrypted cookie. Requires AES and AES python libraries
 ## you must disable beaker.session.secret to use this
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## sets session as invalid if it haven't been accessed for given amount of time
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 ## uncomment for https secure cookie
 beaker.session.secure = false
 ## auto save the session to not to use .save()
 beaker.session.auto = False
 ## default cookie expiration time in seconds `true` expire at browser close ##
 #beaker.session.cookie_expires = 3600
 ############################
 ## ERROR HANDLING SYSTEMS ##
 ############################
 ####################
 ### [errormator] ###
 ####################
 ## Errormator is tailored to work with RhodeCode, see
 ## http://errormator.com for details how to obtain an account
 ## you must install python package `errormator_client` to make it work
 ## errormator enabled
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 ## TWEAK AMOUNT OF INFO SENT HERE
 ## enables 404 error logging (default False)
 errormator.report_404 = false
 ## time in seconds after request is considered being slow (default 1)
 errormator.slow_request_time = 1
 ## record slow requests in application
 ## (needs to be enabled for slow datastore recording and time tracking)
 errormator.slow_requests = true

production.ini

➞

Show inline comments

@@ @@ -248,99 +248,101 @@ celery.always.eager = false @@
 beaker.cache.data_dir=%(here)s/data/cache/data
 beaker.cache.lock_dir=%(here)s/data/cache/lock
 beaker.cache.regions=super_short_term,short_term,long_term,sql_cache_short,sql_cache_med,sql_cache_long
 beaker.cache.super_short_term.type=memory
 beaker.cache.super_short_term.expire=10
 beaker.cache.super_short_term.key_length = 256
 beaker.cache.short_term.type=memory
 beaker.cache.short_term.expire=60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type=memory
 beaker.cache.long_term.expire=36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type=memory
 beaker.cache.sql_cache_short.expire=10
 beaker.cache.sql_cache_short.key_length = 256
 beaker.cache.sql_cache_med.type=memory
 beaker.cache.sql_cache_med.expire=360
 beaker.cache.sql_cache_med.key_length = 256
 beaker.cache.sql_cache_long.type=file
 beaker.cache.sql_cache_long.expire=3600
 beaker.cache.sql_cache_long.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## The storage uses the Container API
 ## that is also used by the cache system.
 ## db session ##
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/rhodecode
 #beaker.session.table_name = db_session
 ## encrypted cookie client side session, good for many instances ##
 #beaker.session.type = cookie
 ## file based cookies (default) ##
 #beaker.session.type = file
 beaker.session.key = rhodecode
 beaker.session.secret = ${app_instance_uuid}
 beaker.session.key = rhodecode
 ## secure cookie requires AES python libraries
 ## Secure encrypted cookie. Requires AES and AES python libraries
 ## you must disable beaker.session.secret to use this
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## sets session as invalid if it haven't been accessed for given amount of time
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 ## uncomment for https secure cookie
 beaker.session.secure = false
 ## auto save the session to not to use .save()
 beaker.session.auto = False
 ## default cookie expiration time in seconds `true` expire at browser close ##
 #beaker.session.cookie_expires = 3600
 ############################
 ## ERROR HANDLING SYSTEMS ##
 ############################
 ####################
 ### [errormator] ###
 ####################
 ## Errormator is tailored to work with RhodeCode, see
 ## http://errormator.com for details how to obtain an account
 ## you must install python package `errormator_client` to make it work
 ## errormator enabled
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 ## TWEAK AMOUNT OF INFO SENT HERE
 ## enables 404 error logging (default False)
 errormator.report_404 = false
 ## time in seconds after request is considered being slow (default 1)
 errormator.slow_request_time = 1
 ## record slow requests in application
 ## (needs to be enabled for slow datastore recording and time tracking)
 errormator.slow_requests = true

rhodecode/config/deployment.ini_tmpl

➞

Show inline comments

@@ @@ -248,99 +248,101 @@ celery.always.eager = false @@
 beaker.cache.data_dir=%(here)s/data/cache/data
 beaker.cache.lock_dir=%(here)s/data/cache/lock
 beaker.cache.regions=super_short_term,short_term,long_term,sql_cache_short,sql_cache_med,sql_cache_long
 beaker.cache.super_short_term.type=memory
 beaker.cache.super_short_term.expire=10
 beaker.cache.super_short_term.key_length = 256
 beaker.cache.short_term.type=memory
 beaker.cache.short_term.expire=60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type=memory
 beaker.cache.long_term.expire=36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type=memory
 beaker.cache.sql_cache_short.expire=10
 beaker.cache.sql_cache_short.key_length = 256
 beaker.cache.sql_cache_med.type=memory
 beaker.cache.sql_cache_med.expire=360
 beaker.cache.sql_cache_med.key_length = 256
 beaker.cache.sql_cache_long.type=file
 beaker.cache.sql_cache_long.expire=3600
 beaker.cache.sql_cache_long.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## The storage uses the Container API
 ## that is also used by the cache system.
 ## db session ##
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/rhodecode
 #beaker.session.table_name = db_session
 ## encrypted cookie client side session, good for many instances ##
 #beaker.session.type = cookie
 ## file based cookies (default) ##
 #beaker.session.type = file
 beaker.session.key = rhodecode
 beaker.session.secret = ${app_instance_uuid}
 beaker.session.key = rhodecode
 ## secure cookie requires AES python libraries
 ## Secure encrypted cookie. Requires AES and AES python libraries
 ## you must disable beaker.session.secret to use this
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## sets session as invalid if it haven't been accessed for given amount of time
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 ## uncomment for https secure cookie
 beaker.session.secure = false
 ## auto save the session to not to use .save()
 beaker.session.auto = False
 ## default cookie expiration time in seconds `true` expire at browser close ##
 #beaker.session.cookie_expires = 3600
 ############################
 ## ERROR HANDLING SYSTEMS ##
 ############################
 ####################
 ### [errormator] ###
 ####################
 ## Errormator is tailored to work with RhodeCode, see
 ## http://errormator.com for details how to obtain an account
 ## you must install python package `errormator_client` to make it work
 ## errormator enabled
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 ## TWEAK AMOUNT OF INFO SENT HERE
 ## enables 404 error logging (default False)
 errormator.report_404 = false
 ## time in seconds after request is considered being slow (default 1)
 errormator.slow_request_time = 1
 ## record slow requests in application
 ## (needs to be enabled for slow datastore recording and time tracking)
 errormator.slow_requests = true

0 comments (0 inline, 0 general)