Web2py weak secret key
Description
Web2py applications use a secret key (cookie_key) to cryptographically sign session cookies, preventing unauthorized modification of cookie data. This application is configured with a weak, default, or publicly known secret key that can be easily guessed or obtained by attackers. When the secret key is compromised, the integrity protection of signed cookies is completely bypassed, allowing attackers to forge or manipulate cookie contents.
Remediation
Immediately replace the weak secret key with a cryptographically strong random value. Generate a new secret key using a secure random number generator and update the cookie_key parameter in your Web2py application configuration.
To generate a strong secret key, use one of the following methods:
Python (recommended):
import os
import base64
# Generate a 64-byte random key
secret_key = base64.b64encode(os.urandom(64)).decode('utf-8')
print(secret_key)Linux/macOS command line:
openssl rand -base64 64
Update your Web2py application configuration file (typically
appconfig.ini or within your application's settings) with the new secret:cookie_key = YOUR_NEW_RANDOM_SECRET_KEY_HERE
After updating the secret key, restart your Web2py application. Note that existing user sessions will be invalidated and users will need to log in again.