When open-sourcing a live Rails app, is it dangerous to leave the session key secret in source contr
Posted
by rspeicher
on Stack Overflow
See other posts from Stack Overflow
or by rspeicher
Published on 2010-04-17T21:51:59Z
Indexed on
2010/04/17
23:23 UTC
Read the original article
Hit count: 129
I've got a Rails app that's been running live for some time, and I'm planning to open source it in the near future. I'm wondering how dangerous it is to leave the session key store secret in source control while the app is live.
If it's dangerous, how do people usually handle this problem? I'd guess that it's easiest to just move the string to a text file that's ignored by the SCM, and read it in later.
Just for clarity, I'm talking about this:
# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:key => '_application_session',
:secret => '(long, unique string)'
}
And while we're on the subject, is there anything else in a default Rails app that should be protected when open sourcing a live app?
© Stack Overflow or respective owner