Just wanted to chime in with a security recommendation that the
admin password be queried for/generated and inserted into
Application.config at install time in the install script. While not
a huge deal, I can imagine a future bugtraq post flagging WebKit's known
default admin pw in an alert (once it becomes famous the world over
and hordes of web developers abandon their current platform for
I know the issue of encrypting the password has been discussed
before and dismissed, but I'd recommend it, at least as an option.
Here's a routine I found (wish I knew where so I could give credit)
for creating encrypted userids for cookies -- using the random()
function at install time to generate the seed (_secretInfo below),
one could easily produce an encrypted password & seed from within
the installer. Of course, another function would be required to
regenerate the password & seed in case it got lost/forgotten. This
function could be an option in the installer or a separate utility.
# This is some super-secret information, hashed together
# with the userID to generate a (hopefully) unforgeable
# token. It's some random bytes from /dev/urandom on my Linux box.
_secretInfo = "\016\327\132\154\215\256\373\023\362\132\047\023"
"Given a user ID, compute the hash and return the resulting token"
import md5, base64, string
digest = md5.new(_secretInfo + userID + _secretInfo).digest()
# The token will contain the user ID and the digest, separated by /
token = userID + '/' + digest
# To avoid illegal characters in the digest, the token is base-64 encoded.
token = base64.encodestring(token)
# base64.encodestring adds a newline to its result, so we have to
# strip it off
Also, how is everyone starting their appserver? init? cron? Anyone
want to share their scripts for checking/restarting the appserver?
I'm going to be putting webkit on a production server & converting
an existing home-grown python app to it & want to know how others
are ensuring webkit doesn't go away on the server (or if it does,
how it's automatically brought back!).
Finally, what account (unix) are you running your appserver under?
I've been testing using the same account I use for httpd(apache),
but don't have a clue what would be considered correct or most
Thanks for the input. And thanks for the awesome product.