Security: Make our session secret actually a secret

This is the first of several patches produced by our security audit. It addresses the concerns mentioned here: http://groups.google.co.nz/group/rubyonrails-core/browse_thread/thread/4d43c1fa2485f3e3/e63662d7d521663e Note that you will be instructed to run 'rake db:bootstrap:session' when you first try to run Mephisto, and that your session cookie name will change in order to prevent errors about invalid cookie signatures. Thank you to Isaac for helping me track down the best way to solve this problem.
emk · Dec 10, 2008 · d558ba1 · d558ba1 · danlynn · Dec 12, 2008
1 parent 170fe8c
commit d558ba1
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 .rake_tasks
 config/database.yml
 config/deploy.rb
+config/initializers/session_store.rb
 db/*.sqlite3
 log/*.log
 public/assets

diff --git a/config/environment.rb b/config/environment.rb
@@ -25,6 +25,12 @@ def safe_to_load_application?
   File.basename($0) != "rake" || !ARGV.any? {|a| a =~ /^db:/ }
 end
 
+# Make sure we a site-specific secret key file.
+unless File.exists?(File.join(File.dirname(__FILE__),
+                              'initializers/session_store.rb'))
+  raise "You need to run 'rake db:bootstrap:session' to create a secret key."
+end
+
 Rails::Initializer.run do |config|
   # Settings in config/environments/* take precedence those specified here
 
@@ -45,11 +51,6 @@ def safe_to_load_application?
   # (by default production uses :info, the others :debug)
   # config.log_level = :debug
 
-  # Use the database for sessions instead of the file system
-  # (create the session table with 'rake create_sessions_table')
-  # config.action_controller.session_store = :active_record_store
-  config.action_controller.session = { :session_key => "_mephisto_session", :secret => "bd088a0f5b476fe5a2c02653a93ed14a95a8396829ce4e726ee77553ab6438a98d0f3e6d80fc6b120370ba047f28e09f71543ae5f842365e5070e7db51fb2cb9" }
-
   # Make Active Record use UTC-base instead of local time
   config.active_record.default_timezone = :utc
 

diff --git a/lib/tasks/bootstrap.rake b/lib/tasks/bootstrap.rake
@@ -3,7 +3,7 @@ SITE_THEME_DIR = File.join(THEME_ROOT, "site-#{(ENV['SITE_ID'] || '1')}")
 
 namespace :db do
   desc "Loads a schema.rb file into the database and then loads the initial database fixtures."
-  task :bootstrap do |task_args|
+  task :bootstrap => 'db:bootstrap:session' do |task_args|
     mkdir_p File.join(RAILS_ROOT, 'log')
 
     require 'rubygems' unless Object.const_defined?(:Gem)
@@ -69,5 +69,29 @@ namespace :db do
         FileUtils.rm_rf dir
       end
     end
+
+    desc "Create a secret key for use with session cookies"
+    task :session do
+      path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
+      return if File.exists?(path)
+      File.open(path, 'w') do |f|
+        f.write <<"EOD"
+# This file was generated by 'rake db:bootstrap:session', and should not be
+# made visible to public.  Do not check it into github!  If you have a
+# load-balancing Mephisto cluser, you will need to use the same version of
+# this file on each machine.  And be sure to restart your server when you
+# modify this file.
+
+# Your secret key for verifying cookie session data integrity.  If you
+# change this key, all old sessions will become invalid!  Make sure the
+# secret is at least 30 characters and all random, no regular words or
+# you'll be exposed to dictionary attacks.
+ActionController::Base.session = {
+  :session_key => '_mephisto_session_2',
+  :secret      => '#{SecureRandom.hex(40)}'
+}
+EOD
+      end
+    end
   end
-end
+end