Read more

Fix warning: No secret option provided to Rack::Session::Cookie

Henning Koch
January 08, 2013Software engineer at makandra GmbH

You will get this when you are using the latest version of Rails with a recent version of Rack:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.
Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

The warning is caused by Rails calling Rack incorrectly. It is unclear Show archive.org snapshot when this is going to be fixed in Rails. If it will be fixed, I guess it will be for Rails 4 only.

The best workaround right now is to lock your version of rack at version 1.4.1.

Posted by Henning Koch to makandra dev (2013-01-08 13:55)