Rails 3 (latest git): "Missing cookie signing secret"

michael.hasenstein · April 5, 2010, 9:05am

It seems obvious, but I could not find anything using Google. I DID find articles like http://m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3, however, that doesn't help - I KNOW what it's supposed to be used for, but I cannot figure out how to SET the secret. I have a file config/ initializers/cookie_verification_secret.rb which sets Rails.application.config.cookie_secret, which I thought should be what's asked for? Anyway, tried to set Rails.application.config.signing_secret in the same file, which didn't help.

Grep-ing through all of the rails3 sources shows file actionpack/lib/ action_controller/metal/cookies.rb, which says config.cookie_secret IS the signing_secret.

1) In that case, is it really necessary to have two names for one and the same thing?

2) Any idea why I get the app error with this message? I'm in the process of changing from authlogic to devise, but until a few minutes ago I at least got the homepage. Not sure how devise could be the culprit but maybe it is.

michael.hasenstein · April 5, 2010, 10:24am

It happens in devise/lib/devise/strategies/rememberable.rb, line @remember_cookie ||= cookies.signed[remember_key]

stack trace (abridged): actionpack/lib/action_dispatch/middleware/cookies.rb:169:in `initialize' actionpack/lib/action_dispatch/middleware/cookies.rb:132:in `new' actionpack/lib/action_dispatch/middleware/cookies.rb:132:in `signed' devise/strategies/rememberable.rb:35:in `remember_cookie' devise/strategies/rememberable.rb:12:in `valid?'

michael.hasenstein · April 5, 2010, 10:41am

In order to debug I changed the SignedCookieJar class initializer to include a log statement.

def initialize(parent_jar, config = {}) --> Rails.logger.debug "CONFIG: #{config.inspect}" raise 'Missing cookie signing secret' if config[:signing_secret].blank? @parent_jar = parent_jar @config = config @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret]) end

The output in the logfile is CONFIG: {}

I have a file config/initializers/cookie_verification_secret.rb with a content of

Rails.application.config.cookie_secret = '...(secret)...'

Rails 3 Beta2+ (it's the latest from github) bug?

Rizwan_Reza · April 5, 2010, 1:42pm

I just pulled the latest commits from Rails master and it seems this is fixed now. You now need to define the relevant configuration like this:

Rails.application.config.session_store :cookie_store, :key => ‘_appname_session’

Rails.application.config.secret_token = ‘secret’

Omit ‘Rails.application.’ if you’re defining in application.rb.

michael.hasenstein · April 5, 2010, 5:43pm

Yes, today's change fixed it.

keeran · April 12, 2010, 2:35pm

Is this configuration approach due to be changing?

Still getting conflicting deprec notices on the cookie secret and I'm not sure on how we should define session domains now:

config.action_dispatch.session = { :key / :domain / :secret } in application.rb? Initializers? Both?

Kee

Topic		Replies	Views
Rails 3 cookie_verifier_secret rubyonrails-core	2	148	January 3, 2010
protect_from_forgery(secret) and config.action_controller.session_store rubyonrails-core	4	178	September 2, 2008
rake db:migrate pukes on ActionController::Base.cookie_verifier_secret = '...' rubyonrails-talk	0	149	October 11, 2010
SECURITY WARNING: No secret option provided to Rack::Session::Cookie. rubyonrails-talk	5	211	February 7, 2013
Rails 2.3.2 and config.action_controller.session rubyonrails-talk	22	362	October 29, 2013

Rails 3 (latest git): "Missing cookie signing secret"

Related topics

More Resources