diff options
| author | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2011-10-04 00:12:03 +0200 |
|---|---|---|
| committer | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2011-10-14 21:46:17 +0200 |
| commit | 2dc8d249326458b4d70e0cf1efbc956dccb12d3f (patch) | |
| tree | c288186023cf6f8628369b04fd86adfcd20d52f7 /mediagoblin/config_spec.ini | |
| parent | 917d4663afedded7e6606b1a799771da8dc2a37c (diff) | |
| download | mediagoblin-2dc8d249326458b4d70e0cf1efbc956dccb12d3f.tar.lz mediagoblin-2dc8d249326458b4d70e0cf1efbc956dccb12d3f.tar.xz mediagoblin-2dc8d249326458b4d70e0cf1efbc956dccb12d3f.zip | |
Some mostly cosmetic changes to CSRF
* remove max_age - A session cookie is better, because it's
a session thing, really.
* Call the cookie mediagoblin_csrftoken, much clearer.
* Use the SCRIPT_NAME for the path of the cookie, so that
the cookie is sent back to the right place only.
Alternatively the path= parameter could be removed, so
that it defaults to '/'.
* call the randomness function only once, instead of twice.
64 bits should be enough. If really more bits are needed,
increase the number.
* Just give the number as cookie. No point in md5 and
hexdigest in my view (those functions just make another
representation).
* getrandbits gets a bit count directly, simpler API
Diffstat (limited to 'mediagoblin/config_spec.ini')
| -rw-r--r-- | mediagoblin/config_spec.ini | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini index 298a6951..900957ce 100644 --- a/mediagoblin/config_spec.ini +++ b/mediagoblin/config_spec.ini @@ -42,7 +42,7 @@ celery_setup_elsewhere = boolean(default=False) allow_attachments = boolean(default=False) # Cookie stuff -csrf_cookie_name = string(default='mediagoblin_nonce') +csrf_cookie_name = string(default='mediagoblin_csrftoken') [storage:publicstore] storage_class = string(default="mediagoblin.storage.filestorage:BasicFileStorage") |