I’ve been chasing my tail this morning with InvalidAuthenticationToken errors on my signup and login forms. It turns out I’d switched the session_store back to cookies, and had forgotten to recomment the secret param on protect_from_forgery. Bit of a newb mistake.
I’m wondering if the secret param should ever be used when using the cookie session store? If not, should rails raise an error when configured with the cookie store and secret param?
I guess same question applies in the inverse - does it ever make sense to not have the secret param passed when not using the session store?