Session key/secret

4 views
Skip to first unread message

Eloy Duran

unread,
Nov 12, 2009, 5:10:49 AM11/12/09
to rubyonra...@googlegroups.com
Hi,

Following Jonathan Weiss's recent talk at RubyEnRails on security, I
wanted to ask if it might be a good idea to do something like this by
default in the app template? Obviously this is aimed specifically at
developers doing open-source apps.

# Replace this file with a linked version in production, or remove
the if
# statement if your session_store.rb file is never made public.
if Rails.env == 'production'
raise "Need to link the proper session key!"
else
ActionController::Base.session = {
:key => '_my_apps_session',
:secret => 'oh-so-secret'
}
end

Cheers,
Eloy

Cyril Mougel

unread,
Nov 12, 2009, 10:53:56 AM11/12/09
to rubyonra...@googlegroups.com
Eloy Duran a écrit :

It's great to force new deployement to define his own session store, but
if your application can't use CookieSessionStore because more than 4Ko
or you want use ActiveRecordSessionStore but need migration, you can't
help to inform that.

I think that all open project need define a good process to update or
change the session store.

--
Cyril Mougel
http://blog.shingara.fr/

Pratik

unread,
Nov 12, 2009, 11:03:24 AM11/12/09
to rubyonra...@googlegroups.com
Things should be optimized for the majority. And majority of apps
aren't open sourced. Instead, the problem can be alleviated by
appropriate documentation in the generated initializer.
--
Cheers!
- Pratik
http://m.onkey.org | http://twitter.com/lifo

Eloy Duran

unread,
Nov 12, 2009, 12:22:17 PM11/12/09
to rubyonra...@googlegroups.com
True, that was my gripe against it as well. Although I do think that
adding documentation won't help much, it's better than nothing. I'll
push something to doc-rails tomorrow, unless someone beats me to it :)

Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages