After looking at the controversy, delving into my security textbook, and reading some articles on hashing, I would like to recommend some tweaks to the CookieSesson defaults and the new 'rake secret'.
1) Change the default hash used in the cookies to SHA256 as a hole was semi-recently found in SHA1.
2) Make 'rake secret' use the lengthier SHA512 hash and output the secret key in base64, or better yet, in a binary string. The 30 character length requirement will require multiple hashes to be generated; however, it will add a significant amount of entropy to every character. (The limited character set in a hex-characters-only key may lead to a differential cryptanalysis -- I'm no crypto-expert, so if someone else knows different, please ease my mind) OR 3) Make 'rake secret' use OpenSSL to generate the secret key.
4) Add, at least an option, to hash the IP address of the user into the cookie's hash. This should prevent against replay attacks automatically without the application developer having to write in this check.
I am willing to write the patches for any/all of these changes.
Also, I noted that a secret key was also set in a comment in the generated ApplicationController. I assume that this is unnecessary since the secret is set by default in the environment.rb. I recommend taking this out of the ApplicationController, assuming it's unnecessary.
And a comment on previous thoughts about using asymmetric key cryptography for generating a signature: I don't recommend this as it is much much more processor intensive than generating a cryptographically secure hash, and a cryptographically secure hash is probably just as effective -- for now.
If I'm beating a dead horse on any of this, I apologize. I tried to do as much research on the controversy as possible, but I, of course, could have missed some things.