protect_from_forgery(secret) and config.action_controller.session_store

Hi there,

I’ve been chasing my tail this morning with InvalidAuthenticationToken errors on my signup and login forms. It turns out I’d switched the session_store back to cookies, and had forgotten to recomment the secret param on protect_from_forgery. Bit of a newb mistake.

I’m wondering if the secret param should ever be used when using the cookie session store? If not, should rails raise an error when configured with the cookie store and secret param?

I guess same question applies in the inverse - does it ever make sense to not have the secret param passed when not using the session store?

Cheers,

Tim.

I'm wondering if the secret param should ever be used when using the cookie
session store? If not, should rails raise an error when configured with the
cookie store and secret param?

Ideally yes, rails would raise an error when misconfigured like this.
I believe at present the presence or absence of the :secret key is
something which determines which approach to use, so it might require
a little bit of refactoring first.

Cheers Koz, I might have a poke around with it over the weekend and see if I can come up with anything useful.

Tim.

I decided to have a go at this tonight. Patch attached at http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/957

I’m happy to hear any feedback on the patch - as it might have a broader impact than I’m aware of with my limited experience hacking on rails source.

Cheers,

Tim.

This patch (or one like it) also has the side benefit of being able to simplify the generated code for ActionController. The :secret could be uncommented by default, and the comment on the line above could be removed.