Skip to content


Security: Make our session secret actually a secret
Browse files Browse the repository at this point in the history
This is the first of several patches produced by our security audit.  It
addresses the concerns mentioned here:

Note that you will be instructed to run 'rake db:bootstrap:session' when
you first try to run Mephisto, and that your session cookie name will
change in order to prevent errors about invalid cookie signatures.

Thank you to Isaac for helping me track down the best way to solve this
  • Loading branch information
emk committed Dec 10, 2008
1 parent 170fe8c commit d558ba1
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 7 deletions.
1 change: 1 addition & 0 deletions .gitignore
@@ -1,6 +1,7 @@
Expand Down
11 changes: 6 additions & 5 deletions config/environment.rb
Expand Up @@ -25,6 +25,12 @@ def safe_to_load_application?
File.basename($0) != "rake" || !ARGV.any? {|a| a =~ /^db:/ }

# Make sure we a site-specific secret key file.
unless File.exists?(File.join(File.dirname(__FILE__),
raise "You need to run 'rake db:bootstrap:session' to create a secret key."
end do |config|
# Settings in config/environments/* take precedence those specified here

Expand All @@ -45,11 +51,6 @@ def safe_to_load_application?
# (by default production uses :info, the others :debug)
# config.log_level = :debug

# Use the database for sessions instead of the file system
# (create the session table with 'rake create_sessions_table')
# config.action_controller.session_store = :active_record_store
config.action_controller.session = { :session_key => "_mephisto_session", :secret => "bd088a0f5b476fe5a2c02653a93ed14a95a8396829ce4e726ee77553ab6438a98d0f3e6d80fc6b120370ba047f28e09f71543ae5f842365e5070e7db51fb2cb9" }

# Make Active Record use UTC-base instead of local time
config.active_record.default_timezone = :utc

Expand Down
28 changes: 26 additions & 2 deletions lib/tasks/bootstrap.rake
Expand Up @@ -3,7 +3,7 @@ SITE_THEME_DIR = File.join(THEME_ROOT, "site-#{(ENV['SITE_ID'] || '1')}")

namespace :db do
desc "Loads a schema.rb file into the database and then loads the initial database fixtures."
task :bootstrap do |task_args|
task :bootstrap => 'db:bootstrap:session' do |task_args|
mkdir_p File.join(RAILS_ROOT, 'log')

require 'rubygems' unless Object.const_defined?(:Gem)
Expand Down Expand Up @@ -69,5 +69,29 @@ namespace :db do
FileUtils.rm_rf dir

desc "Create a secret key for use with session cookies"
task :session do
path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
return if File.exists?(path), 'w') do |f|
f.write <<"EOD"
# This file was generated by 'rake db:bootstrap:session', and should not be
# made visible to public. Do not check it into github! If you have a
# load-balancing Mephisto cluser, you will need to use the same version of
# this file on each machine. And be sure to restart your server when you
# modify this file.
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:session_key => '_mephisto_session_2',
:secret => '#{SecureRandom.hex(40)}'

1 comment on commit d558ba1

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of simply raising an error like this:

rake aborted!
unexpected return

The session_store.rb should probably be overwritten in the rake —trace db:bootstrap:session every time that it is ran instead of failing with an unhelpful message.

Please sign in to comment.