Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

secret_token.rb probably ought not to be in the repository #178

Closed
tommorris opened this Issue Jan 3, 2013 · 4 comments

Comments

Projects
None yet
4 participants

See Github and Trac.

Thanks to fnzcuvccra for pointing this out.

Collaborator

gravitystorm commented Jan 3, 2013

In another rails project I work on, we have a secret in secret_token.rb, but also check for an override file. This allows things to work out-of-the-box when developing, but in production the secret token is overridden.

https://github.com/cyclestreets/toolkit/blob/master/config/initializers/secret_token.rb

Here's a chef recipe for creating the secret token:

https://github.com/cyclestreets/toolkit-chef/blob/master/cookbooks/toolkit/recipes/default.rb#L182

OSM uses chef, but might have to do things differently so that all the front-ends share the same secret token. Unless, of course, this is already taken care of by the OSM chef scripts!

In any case, we should probably update the REAMDE to suggest changing it when you're making your own installation.

Owner

tomhughes commented Jan 3, 2013

I don't think we actually used signed cookies at all, so that token has no value as I understand it.

Signed cookies are only used if you use cookie based sessions, which we don't, or if you explicitly set a signed cookie in a controller.

Member

jfirebaugh commented Jan 3, 2013

Signed cookies are only used if you use cookie based sessions, which we don't, or if you explicitly set a signed cookie in a controller.

That's my understanding as well. It looks like we can just delete secret_token.rb.

Owner

tomhughes commented Feb 3, 2013

I've deleted secret_token.rb now.

@tomhughes tomhughes closed this Feb 3, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment