Permalink
Browse files

Security: Make our session secret actually a secret

This is the first of several patches produced by our security audit.  It
addresses the concerns mentioned here:

  http://groups.google.co.nz/group/rubyonrails-core/browse_thread/thread/4d43c1fa2485f3e3/e63662d7d521663e

Note that you will be instructed to run 'rake db:bootstrap:session' when
you first try to run Mephisto, and that your session cookie name will
change in order to prevent errors about invalid cookie signatures.

Thank you to Isaac for helping me track down the best way to solve this
problem.
  • Loading branch information...
emk committed Dec 10, 2008
1 parent 170fe8c commit d558ba11e393b1bd444039d535aad3f9853e2592
Showing with 33 additions and 7 deletions.
  1. +1 −0 .gitignore
  2. +6 −5 config/environment.rb
  3. +26 −2 lib/tasks/bootstrap.rake
@@ -1,6 +1,7 @@
.rake_tasks
config/database.yml
config/deploy.rb
config/initializers/session_store.rb
db/*.sqlite3
log/*.log
public/assets
@@ -25,6 +25,12 @@ def safe_to_load_application?
File.basename($0) != "rake" || !ARGV.any? {|a| a =~ /^db:/ }
end

# Make sure we a site-specific secret key file.
unless File.exists?(File.join(File.dirname(__FILE__),
'initializers/session_store.rb'))
raise "You need to run 'rake db:bootstrap:session' to create a secret key."
end

Rails::Initializer.run do |config|
# Settings in config/environments/* take precedence those specified here

@@ -45,11 +51,6 @@ def safe_to_load_application?
# (by default production uses :info, the others :debug)
# config.log_level = :debug

# Use the database for sessions instead of the file system
# (create the session table with 'rake create_sessions_table')
# config.action_controller.session_store = :active_record_store
config.action_controller.session = { :session_key => "_mephisto_session", :secret => "bd088a0f5b476fe5a2c02653a93ed14a95a8396829ce4e726ee77553ab6438a98d0f3e6d80fc6b120370ba047f28e09f71543ae5f842365e5070e7db51fb2cb9" }

# Make Active Record use UTC-base instead of local time
config.active_record.default_timezone = :utc

@@ -3,7 +3,7 @@ SITE_THEME_DIR = File.join(THEME_ROOT, "site-#{(ENV['SITE_ID'] || '1')}")

namespace :db do
desc "Loads a schema.rb file into the database and then loads the initial database fixtures."
task :bootstrap do |task_args|
task :bootstrap => 'db:bootstrap:session' do |task_args|
mkdir_p File.join(RAILS_ROOT, 'log')

require 'rubygems' unless Object.const_defined?(:Gem)
@@ -69,5 +69,29 @@ namespace :db do
FileUtils.rm_rf dir
end
end

desc "Create a secret key for use with session cookies"
task :session do
path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
return if File.exists?(path)
File.open(path, 'w') do |f|
f.write <<"EOD"
# This file was generated by 'rake db:bootstrap:session', and should not be
# made visible to public. Do not check it into github! If you have a
# load-balancing Mephisto cluser, you will need to use the same version of
# this file on each machine. And be sure to restart your server when you
# modify this file.

# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:session_key => '_mephisto_session_2',
:secret => '#{SecureRandom.hex(40)}'
}
EOD
end
end
end
end
end

1 comment on commit d558ba1

@danlynn

This comment has been minimized.

danlynn commented on d558ba1 Dec 12, 2008

Instead of simply raising an error like this:

rake aborted!
unexpected return

The session_store.rb should probably be overwritten in the rake —trace db:bootstrap:session every time that it is ran instead of failing with an unhelpful message.

Please sign in to comment.