Following Jonathan Weiss's recent talk at RubyEnRails on security, I
wanted to ask if it might be a good idea to do something like this by
default in the app template? Obviously this is aimed specifically at
developers doing open-source apps.
# Replace this file with a linked version in production, or remove
the if
# statement if your session_store.rb file is never made public.
if Rails.env == 'production'
raise "Need to link the proper session key!"
else
ActionController::Base.session = {
:key => '_my_apps_session',
:secret => 'oh-so-secret'
}
end
Cheers,
Eloy
It's great to force new deployement to define his own session store, but
if your application can't use CookieSessionStore because more than 4Ko
or you want use ActiveRecordSessionStore but need migration, you can't
help to inform that.
I think that all open project need define a good process to update or
change the session store.
--
Cyril Mougel
http://blog.shingara.fr/