Rails 3 (latest git): "Missing cookie signing secret"

It seems obvious, but I could not find anything using Google. I DID
find articles like http://m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3,
however, that doesn't help - I KNOW what it's supposed to be used for,
but I cannot figure out how to SET the secret. I have a file config/
initializers/cookie_verification_secret.rb which sets
Rails.application.config.cookie_secret, which I thought should be
what's asked for? Anyway, tried to set
Rails.application.config.signing_secret in the same file, which didn't

Grep-ing through all of the rails3 sources shows file actionpack/lib/
action_controller/metal/cookies.rb, which says config.cookie_secret IS
the signing_secret.

1) In that case, is it really necessary to have two names for one and
the same thing?

2) Any idea why I get the app error with this message? I'm in the
process of changing from authlogic to devise, but until a few minutes
ago I at least got the homepage. Not sure how devise could be the
culprit but maybe it is.

It happens in devise/lib/devise/strategies/rememberable.rb, line
  @remember_cookie ||= cookies.signed[remember_key]

stack trace (abridged):
actionpack/lib/action_dispatch/middleware/cookies.rb:132:in `new'
actionpack/lib/action_dispatch/middleware/cookies.rb:132:in `signed'
devise/strategies/rememberable.rb:35:in `remember_cookie'
devise/strategies/rememberable.rb:12:in `valid?'

In order to debug I changed the SignedCookieJar class initializer to
include a log statement.

  def initialize(parent_jar, config = {})
--> Rails.logger.debug "CONFIG: #{config.inspect}"
    raise 'Missing cookie signing secret' if
    @parent_jar = parent_jar
    @config = config
    @verifier =

The output in the logfile is

I have a file config/initializers/cookie_verification_secret.rb with a
content of

Rails.application.config.cookie_secret = '...(secret)...'

Rails 3 Beta2+ (it's the latest from github) bug?

I just pulled the latest commits from Rails master and it seems this is fixed now. You now need to define the relevant configuration like this:

Rails.application.config.session_store :cookie_store, :key => ‘_appname_session’

Rails.application.config.secret_token = ‘secret’

Omit ‘Rails.application.’ if you’re defining in application.rb.

Yes, today's change fixed it.

Is this configuration approach due to be changing?

Still getting conflicting deprec notices on the cookie secret and I'm
not sure on how we should define session domains now:

config.action_dispatch.session = { :key / :domain / :secret } in
application.rb? Initializers? Both? :slight_smile: