In the turbogears development.ini
file, there's a value something like this:
cookie_secret = aabbccdd-eeff-0011-2233-445566778899
consisting of hexadecimal digits and dashes.
The same value is placed in beaker.session.secret
and beaker.session.validate_key
.
http://turbogears.org/2.0/docs/main/Config.html has a section on this value:
The beaker.session.secret key of the base_config object contains the secret used to store user sessions. Pylons automatically generates a random secret for you when you create a project. If an attacker gets his hands on this key, he will be able to forge a valid session an use your application at though he was logged in. In the event of a security breach, you can change this key to invalidate all user sessions.
What's the best way to generate a new key?
It can be anything you want. Better if hard to catch or bruteforce. Same rules of password apply. It is currently generated with uuid.uuid4() if I remember correctly