On Nov 27, 4:05 pm, Ian Holsman <[EMAIL PROTECTED]> wrote:
>
> That why large companies have comittee's and auditors for.
>
Oh yes, I learned what a committee was for when I walked on to a job
which was a complete mess. Make it look like I was at fault, when they
were just buying cheap hardware f
David Ross @ Wolfeon wrote:
> After thinking about it for a while, perhaps using SecurID would be
> the better solution in such situations. Some think I'm a bit zealous
> with security, and I've the reason to be. ;) I don't ever want to be
> the person which everyone says, "look at that guy, he wa
On Nov 26, 3:37 am, "Marty Alchin" <[EMAIL PROTECTED]> wrote:
>If you're as concerned with security as it
> sounds like you are, you might look at SecurID.[1]
>
> -Gul
>
> [1]http://en.wikipedia.org/wiki/SecurID
After thinking about it for a while, perhaps using SecurID would be
the better soluti
On Monday 26 November 2007 12:17:51 Ned Batchelder wrote:
> In any case, if the signedcookies code makes you feel better about
> the security of your site, you should certainly use it. There's no
> point in being "disgusted" at Django as a whole.
Agreed - to put it mildly! Django uses a 128 bit
As stated on the code page[1], it uses the New BSD License, though I
really should include that in the source itself.
-Gul
[1] http://code.google.com/p/django-signedcookies/
On Nov 26, 2007 1:57 PM, David Ross @ Wolfeon <[EMAIL PROTECTED]> wrote:
>
> What is the license for the signed cookie co
What is the license for the signed cookie code?
On Nov 26, 4:48 am, "Marty Alchin" <[EMAIL PROTECTED]> wrote:
> On Nov 26, 2007 8:30 AM, Patryk Zawadzki <[EMAIL PROTECTED]> wrote:
>
> > I'm not sure what makes you believe that two cookies are more secure
> > than one. Two n-bit strings are just a
On Nov 26, 2007 8:30 AM, Patryk Zawadzki <[EMAIL PROTECTED]> wrote:
> I'm not sure what makes you believe that two cookies are more secure
> than one. Two n-bit strings are just as secure as one 2n-bit so a
> simple answer would be: make the session ID twice as long.
And that's exactly what the s
On Nov 26, 2007 7:47 AM, David Ross @ Wolfeon <[EMAIL PROTECTED]> wrote:
> I try not to use by IP due to the problem you specified.
Glad to hear it.
> The way I think of the second cookie, is more like a 2nd password.
> Sure, there is a possibility of a brute force with it to, but it is
> less l
2007/11/26, David Ross @ Wolfeon <[EMAIL PROTECTED]>:
>
> I can be unclear at times, especially while I'm very tired. I'll have
> to make an example of what I'm talking about included with an example
> or so. People tend to be a bit more understanding if there is
> something there to play with ins
I can be unclear at times, especially while I'm very tired. I'll have
to make an example of what I'm talking about included with an example
or so. People tend to be a bit more understanding if there is
something there to play with instead of an idea.
I try not to use by IP due to the problem you
On 11/26/07, James Bennett <[EMAIL PROTECTED]> wrote:
> [1] Actually, a "secure" web application is possible. It just starts
> with not ever connecting the application to the Web. Ideally, the
> server on which the application code and database is kept will also be
> stored inside a nuclear-harden
On 11/26/07, David Ross @ Wolfeon <[EMAIL PROTECTED]> wrote:
> environment, and am rather disgusted at the current state because the
> ticket was opened 11 months ago.
>
> http://code.djangoproject.com/ticket/3285
>
> My recommendation is to incorporate code in the default session module
> which i
A couple of points:
1) the hotmail_hack story you point to is about cross-site scripting,
which has nothing to do with the security of cookies.
2) the signedcookies code you point to for inclusion in Django
explicitly discusses the idea that sessions are not vulnerable and
therefore their cook
On 11/25/07, David Ross @ Wolfeon <[EMAIL PROTECTED]> wrote:
> I'm requesting someone please fix the code to the sessions module to
> make Django secure.
I'm going to play devil's advocate here, not out of any personal
malice, but simply because it's important to have *someone* do it in a
case li
Hello,
I'm requesting someone please fix the code to the sessions module to
make Django secure. Currently Django is vulnerable to session
hijacking. Even though the length of the keys are long, a brute force
attack would not be difficult to gain access to a site until they get
a valid item in the
15 matches
Mail list logo
