Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed documentation about use of salt parameter in signing functions.

Fixes #16369.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16693 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit c9da5db701096813e3a7b4c64a80f4ad42a8eef8 1 parent 70e59ae
Malcolm Tredinnick authored August 26, 2011

Showing 1 changed file with 12 additions and 5 deletions. Show diff stats Hide diff stats

  1. 17  docs/topics/signing.txt
17  docs/topics/signing.txt
@@ -78,11 +78,10 @@ generate signatures. You can use a different secret by passing it to the
78 78
 Using the salt argument
79 79
 -----------------------
80 80
 
81  
-If you do not wish to use the same key for every signing operation in your
82  
-application, you can use the optional ``salt`` argument to the ``Signer``
83  
-class to further strengthen your :setting:`SECRET_KEY` against brute force
84  
-attacks. Using a salt will cause a new key to be derived from both the salt
85  
-and your :setting:`SECRET_KEY`::
  81
+If you do not wish for every occurrence of a particular string to have the same
  82
+signature hash, you can use the optional ``salt`` argument to the ``Signer``
  83
+class. Using a salt will seed the signing hash function with both the salt and
  84
+your :setting:`SECRET_KEY`::
86 85
 
87 86
     >>> signer = Signer()
88 87
     >>> signer.sign('My string')
@@ -93,6 +92,14 @@ and your :setting:`SECRET_KEY`::
93 92
     >>> signer.unsign('My string:Ee7vGi-ING6n02gkcJ-QLHg6vFw')
94 93
     u'My string'
95 94
 
  95
+Using salt in this way puts the different signatures into different
  96
+namespaces.  A signature that comes from one namespace (a particular salt
  97
+value) cannot be used to validate the same plaintext string in a different
  98
+namespace that is using a different salt setting. The result is to prevent an
  99
+attacker from using a signed string generated in one place in the code as input
  100
+to another piece of code that is generating (and verifying) signatures using a
  101
+different salt.
  102
+
96 103
 Unlike your :setting:`SECRET_KEY`, your salt argument does not need to stay
97 104
 secret.
98 105
 

0 notes on commit c9da5db

Please sign in to comment.
Something went wrong with that request. Please try again.