When open-sourcing a live Rails app, is it dangerous to leave the session key secret in source contr

Posted by rspeicher on Stack Overflow See other posts from Stack Overflow or by rspeicher
Published on 2010-04-17T21:51:59Z Indexed on 2010/04/17 23:23 UTC
Read the original article Hit count: 129

I've got a Rails app that's been running live for some time, and I'm planning to open source it in the near future. I'm wondering how dangerous it is to leave the session key store secret in source control while the app is live.

If it's dangerous, how do people usually handle this problem? I'd guess that it's easiest to just move the string to a text file that's ignored by the SCM, and read it in later.

Just for clarity, I'm talking about this:

# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random, 
# no regular words or you'll be exposed to dictionary attacks.
ActionController::Base.session = {
  :key         => '_application_session',
  :secret      => '(long, unique string)'
}

And while we're on the subject, is there anything else in a default Rails app that should be protected when open sourcing a live app?

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about git