Session key/secret

Hi,

Following Jonathan Weiss's recent talk at RubyEnRails on security, I wanted to ask if it might be a good idea to do something like this by default in the app template? Obviously this is aimed specifically at developers doing open-source apps.

   # Replace this file with a linked version in production, or remove the if
   # statement if your session_store.rb file is never made public.
   if Rails.env == 'production'
     raise "Need to link the proper session key!"
   else
     ActionController::Base.session = {
       :key => '_my_apps_session',
       :secret => 'oh-so-secret'
     }
   end

Cheers,
Eloy

Eloy Duran a écrit :

Hi,

Following Jonathan Weiss's recent talk at RubyEnRails on security, I
wanted to ask if it might be a good idea to do something like this by
default in the app template? Obviously this is aimed specifically at
developers doing open-source apps.

   # Replace this file with a linked version in production, or remove
the if
   # statement if your session_store.rb file is never made public.
   if Rails.env == 'production'
     raise "Need to link the proper session key!"
   else
     ActionController::Base.session = {
       :key => '_my_apps_session',
       :secret => 'oh-so-secret'
     }
   end
  
It's great to force new deployement to define his own session store, but
if your application can't use CookieSessionStore because more than 4Ko
or you want use ActiveRecordSessionStore but need migration, you can't
help to inform that.

I think that all open project need define a good process to update or
change the session store.

Things should be optimized for the majority. And majority of apps
aren't open sourced. Instead, the problem can be alleviated by
appropriate documentation in the generated initializer.

True, that was my gripe against it as well. Although I do think that
adding documentation won't help much, it's better than nothing. I'll
push something to doc-rails tomorrow, unless someone beats me to it :slight_smile: