3599fb79b4
The session secret is used to sign and authenticate the session cookie and this way very important for the authentication process. By default the session secret is set to `secret` and never changes. This commit will add a generator for a dynamic session secret if it stays unchanged. It prevents session hijacking this way and will warn the user about the missing secret. This also implies that on a restart without configured session secret will log out all users. While it may seems annoying, it's for the users best. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> |
||
|---|---|---|
| .. | ||
| config | ||
| migrations | ||
| models | ||
| ot | ||
| web | ||
| workers | ||
| csp.js | ||
| history.js | ||
| letter-avatars.js | ||
| logger.js | ||
| realtime.js | ||
| response.js | ||
| utils.js | ||