Rails 3 cookie_verifier_secret

Mislav · December 29, 2009, 1:48pm

Rails application generator from current master creates two scripts in “config/initializers/”: “cookie_verifier_secret.rb” and “session_store.rb”.

The former is something like:

ActionController::Base.cookie_verifier_secret = ‘xyz…’

… while the latter is:

ActionController::Base.session = {

:key => ‘_foobar_session’,

:secret => ‘abcdefgh…’

}

How do these two secret keys relate, and why are they generated different?

Trevor_Turk · January 3, 2010, 5:35pm

I'm also wondering about this. Is there a reason that we can't just generate one secret for use throughout an app in any case where we need a secret key?

- Trevor

Pratik1 · January 3, 2010, 6:11pm

Cookie verifier secret is just for the new cookies.signed option - http://github.com/rails/rails/commit/0200e20f148c96afceeebc4da7b5985643f9f707. It has nothing to do with the session secret.

Topic		Replies	Views
Rails 3 (latest git): "Missing cookie signing secret" rubyonrails-core	5	195	April 12, 2010
Cookie session security and open-source rubyonrails-core	12	192	August 12, 2008
protect_from_forgery(secret) and config.action_controller.session_store rubyonrails-core	4	150	September 2, 2008
CookieSession Encryption rubyonrails-core	2	89	December 19, 2007
Given the session key and secret, how can we decrypt cookie-based sessions? rubyonrails-talk	1	789	December 21, 2009

Rails 3 cookie_verifier_secret

Related topics

More Resources