[#7551] session cookies can be httpOnly; remove unused 'secret'; comments
The beaker.session.secret value is only used for storage-backed sessions,
we use the validate_key for pure cookie sessions.
diff --git a/Allura/development.ini b/Allura/development.ini
index a410994..c26f459 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -53,9 +53,13 @@
#lang = ru
cache_dir = %(here)s/data
+
+; Docs at http://beaker.readthedocs.org/en/latest/configuration.html#session-options
+; and http://beaker.readthedocs.org/en/latest/modules/session.html#beaker.session.CookieSession
beaker.session.key = allura
beaker.session.type = cookie
-beaker.session.secret = 61ece7db-ba8d-49fe-a923-ab444741708c
+beaker.session.httponly = true
+; CHANGE THIS VALUE FOR YOUR SITE
beaker.session.validate_key = 714bfe3612c42390726f
# Google Analytics account for tracking
diff --git a/requirements.txt b/requirements.txt
index 359b134..0800820 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,7 @@
pytz==2012j
ActivityStream==0.2.0
BeautifulSoup==3.2.0
+Beaker==1.6.4
chardet==1.0.1
colander==0.9.3
# dep of pypeline
@@ -53,7 +54,6 @@
# tg2 deps (not used directly)
Babel==0.9.6
-Beaker==1.5.4
Mako==0.3.2
MarkupSafe==0.15
Pylons==1.0