Rails 3 cookie_verifier_secret

60 views
Skip to first unread message

Mislav Marohnić

unread,
Dec 29, 2009, 8:48:39 AM12/29/09
to Rails core
Rails application generator from current master creates two scripts in "config/initializers/": "cookie_verifier_secret.rb" and "session_store.rb".

The former is something like:

ActionController::Base.cookie_verifier_secret = 'xyz...'

... while the latter is:

ActionController::Base.session = {
  :key         => '_foobar_session',
  :secret      => 'abcdefgh...'
}

How do these two secret keys relate, and why are they generated different?

Trevor Turk

unread,
Jan 3, 2010, 12:35:52 PM1/3/10
to Ruby on Rails: Core
On Dec 29 2009, 7:48 am, Mislav Marohnić <mislav.maroh...@gmail.com>
wrote:

> Rails application generator from current master creates two scripts in
> "config/initializers/": "cookie_verifier_secret.rb" and "session_store.rb".
> How do these two secret keys relate, and why are they generated different?

I'm also wondering about this. Is there a reason that we can't just
generate one secret for use throughout an app in any case where we
need a secret key?

- Trevor

Pratik

unread,
Jan 3, 2010, 1:11:31 PM1/3/10
to rubyonra...@googlegroups.com
Cookie verifier secret is just for the new cookies.signed option -
http://github.com/rails/rails/commit/0200e20f148c96afceeebc4da7b5985643f9f707.
It has nothing to do with the session secret.

> --
>
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
>
>
>

--
Cheers!
- Pratik
http://m.onkey.org | http://twitter.com/lifo

Reply all
Reply to author
Forward
0 new messages