Rails: Have different session secrets for all environments

Updated . Posted . Visible to the public. Deprecated.

This is no longer relevant in modern Railses, which uses the secret_key_base from secrets.yml, which will always differ per deployment anyways.

The Rails secret_token must be unique for each application and any instance of it. If not, someone could exploit this by creating a user with ID = 1 (e.g. on staging), sign in and then use that cookie to authenticate on another site (e.g. on production, where the user with ID = 1 probably is the admin).

Here is a one-for-all solution that does not affect current production users, leaving the production token unchanged: prefix the existing secret_token with #{Rails.env unless Rails.env.production?}.

Note: There may be tokens in single quotes that include backslashes, double quotes etc. You should not change this to double quotes because Ruby would interpret "escaped" characters with a backslash in front of them etc. In this case, affix the token with a separate string instead: ...token = 'current_token\nfoo@#$' + "#{Rails.env unless Rails.env.production?}".

Rails 3

In config/initializers/secret_token.rb:

MyApp::Application.config.secret_token = "#{Rails.env unless Rails.env.production?}long_maximally_random_string<-.->(*^-^*)etc"

Rails 2

In config/initializers/session_store.rb (for the Rails session cookie):

ActionController::Base.session = {
  :key         => '_example_session',
  :secret      => "#{Rails.env unless Rails.env.production?}long_maximally_random_string<-.->(*^-^*)etc"
}

And in config/initializers/cookie_verification_secret.rb (for signed cookies):

ActionController::Base.cookie_verifier_secret = "#{Rails.env unless Rails.env.production?}long_maximally_random_string<-.->(*^-^*)etc"

If the session secret is set inside the Initializer block in config/environment.rb, calling Rails.env will break. Use RAILS_ENV unless RAILS_ENV == 'production' instead.

Dominik Schöler
Last edit
Dominik Schöler
License
Source code in this card is licensed under the MIT License.
Posted by Dominik Schöler to makandra dev (2013-06-14 10:23)