[ECODP-dev] who.ini

John Glover john.glover at okfn.org
Tue Feb 5 09:14:35 UTC 2013


Hi Dimitrios,

It is used by the Python Paste library [1] that CKAN uses to manage cookie
authentication tickets. This follows the implementation used by the
mod_auth_tkt module for Apache [2]. The secret is part of the MD5 checksum
that is used to validate a cookie, and so must be changed in order to
prevent a possible source of attack.

[1]: http://pythonpaste.org/modules/auth.auth_tkt.html
[2]: http://www.openfusion.com.au/labs/mod_auth_tkt

John


On 5 February 2013 00:26, Dimitrios Mexis <dimitrios.mexis at tenforce.com>wrote:

> Hi,
>
> Just to clarify this "who.ini".
>
> As we followed the instruction to copy the who.ini :
> We created users before this change. It seems alright.
> then
> $ cp
> /applications/ecodp/users/ecodp/ckan/lib/ecodp/pyenv/src/ckan/ckan/config/who.ini
> /applications/ecodp/users/ecodp/ckan/etc/ecodp/who.ini
>
> However it concerns us, why we need to change a "secretkey", and why it is
> called as such ?
> What does it do ?
> Should we take care something else ?
>
> Regards
> Dimitrios
>
> _______________________________________________
> Ecodp-dev mailing list
> Ecodp-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20130205/41791c8d/attachment.html>


More information about the ecodp-dev mailing list