Skip to content

[RFC][BC][FrameworkBundle] Force users to set "kernel.secret" to something unique #6598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 7, 2013
Merged

[RFC][BC][FrameworkBundle] Force users to set "kernel.secret" to something unique #6598

merged 1 commit into from
Jan 7, 2013

Conversation

stloyd
Copy link
Contributor

@stloyd stloyd commented Jan 7, 2013

Bug fix: kinda*
Feature addition: no
BC break: yes
Symfony2 tests pass: yes
Fixes the following tickets: #6480
License of the code: MIT

This PR is to show different approach for "fix" suggested in #6480, as IMO there is no real point for "yet another listener" =)

This PR also introduces BC break for all users that used default value for kernel.secret, but IMO it's worth it.

@stloyd
[FrameworkBundle] Force users to set "kernel.secret" to something dif…
f5290b9 
…ferent than default "ThisTokenIsNotSoSecretChangeIt"
@fabpot fabpot mentioned this pull request Jan 7, 2013
Closed
fabpot added a commit that referenced this pull request Jan 7, 2013
@fabpot
merged branch stloyd/feature/kernel_secret_change (PR #6598)
dbca040 
This PR was merged into the master branch.

Commits
-------

f5290b9 [FrameworkBundle] Force users to set "kernel.secret" to something different than default "ThisTokenIsNotSoSecretChangeIt"

Discussion
----------

[RFC][BC][FrameworkBundle] Force users to set "kernel.secret" to something unique

Bug fix: kinda*
Feature addition: no
BC break: yes
Symfony2 tests pass: yes
Fixes the following tickets: #6480
License of the code: MIT

This PR is to show different approach for "fix" suggested in #6480, as IMO there is no real point for "yet another listener" =)

This PR also introduces BC break for all users that used default value for `kernel.secret`, but IMO it's worth it.
@fabpot fabpot merged commit f5290b9 into symfony:master Jan 7, 2013
@stloyd stloyd deleted the feature/kernel_secret_change branch January 7, 2013 10:45
@alexandresalome
Copy link

I disagree with this PR:

  • Before this PR, you could download symfony-standard and directly access http://localhost/app_dev.php
  • After this PR, you now need to configure secret before being able to use application.

@alexandresalome
Copy link

And also because on my laptop, I'll have to configure secret for all my applications, even if I don't care of security locally.

@lmcd
Copy link
Contributor

lmcd commented Jan 7, 2013

Not sure I agree with this either... this is gonna break a bunch of sites when sysadmins upgrade their Symfony installations

@fabpot
Copy link
Member

fabpot commented Jan 7, 2013

Right, this is a catch-22. People need to be able to use the interface to change the secret. Reverting for now.

fabpot added a commit that referenced this pull request Jan 7, 2013
@fabpot
Revert "merged branch stloyd/feature/kernel_secret_change (PR #6598)"
b378964 
This reverts commit dbca040, reversing
changes made to 1e62588.
@lmcd
Copy link
Contributor

lmcd commented Jan 8, 2013

I'm still +1 on the event listener, as it only needs to be registered when the default secret is used and can be disabled the rest of the time (via compiler pass).

Also, perhaps we could prompt the user or randomly generate a secret post-install using composer and Sensio DistributionBundle

@alexandresalome
Copy link

It's already present in distribution bundle, there's even a button to generate a random one.

@lmcd
Copy link
Contributor

lmcd commented Jan 8, 2013

@alexandresalome: I meant as a post-install prompt in SensioDistributionBundle/Composer/ScriptHandler.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stloyd @alexandresalome @lmcd @fabpot