Rails core - Sep 2008 - protect_from_forgery(secret) and config.action_controller.session_store

Hi there,

I''ve been chasing my tail this morning with InvalidAuthenticationToken
errors on my signup and login forms.  It turns out I''d switched the
session_store back to cookies, and had forgotten to recomment the secret
param on protect_from_forgery.  Bit of a newb mistake.

I''m wondering if the secret param should ever be used when using the
cookie
session store?  If not, should rails raise an error when configured with the
cookie store and secret param?

I guess same question applies in the inverse - does it ever make sense to
not have the secret param passed when not using the session store?

Cheers,

Tim.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

> I''m wondering if the secret param should ever be used when using
the cookie
> session store?  If not, should rails raise an error when configured with
the
> cookie store and secret param?
Ideally yes, rails would raise an error when misconfigured like this.
I believe at present the presence or absence of the :secret key is
something which determines which approach to use, so it might require
a little bit of refactoring first.



-- 
Cheers

Koz

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

Cheers Koz, I might have a poke around with it over the weekend and see if I
can come up with anything useful.

Tim.

On Tue, Sep 2, 2008 at 7:11 PM, Michael Koziarski
<michael@koziarski.com>wrote:
>
> > I''m wondering if the secret param should ever be used when
using the
> cookie
> > session store?  If not, should rails raise an error when configured
with
> the
> > cookie store and secret param?
>
> Ideally yes, rails would raise an error when misconfigured like this.
> I believe at present the presence or absence of the :secret key is
> something which determines which approach to use, so it might require
> a little bit of refactoring first.
>
>
>
> --
> Cheers
>
> Koz
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

I decided to have a go at this tonight.  Patch attached at
http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/957

I''m happy to hear any feedback on the patch - as it might have a
broader
impact than I''m aware of with my limited experience hacking on rails
source.

Cheers,

Tim.

On Tue, Sep 2, 2008 at 7:11 PM, Michael Koziarski
<michael@koziarski.com>wrote:
>
> > I''m wondering if the secret param should ever be used when
using the
> cookie
> > session store?  If not, should rails raise an error when configured
with
> the
> > cookie store and secret param?
>
> Ideally yes, rails would raise an error when misconfigured like this.
> I believe at present the presence or absence of the :secret key is
> something which determines which approach to use, so it might require
> a little bit of refactoring first.
>
>
>
> --
> Cheers
>
> Koz
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

This patch (or one like it) also has the side benefit of being able to
simplify the generated code for ActionController.  The :secret could be
uncommented by default, and the comment on the line above could be removed.

On Wed, Sep 3, 2008 at 12:29 AM, Tim Haines <tmhaines@gmail.com> wrote:
> I decided to have a go at this tonight.  Patch attached at
> http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/957
>
> I''m happy to hear any feedback on the patch - as it might have a
broader
> impact than I''m aware of with my limited experience hacking on
rails source.
>
> Cheers,
>
> Tim.
>
> On Tue, Sep 2, 2008 at 7:11 PM, Michael Koziarski
<michael@koziarski.com>wrote:
>
>>
>> > I''m wondering if the secret param should ever be used
when using the
>> cookie
>> > session store?  If not, should rails raise an error when
configured with
>> the
>> > cookie store and secret param?
>>
>> Ideally yes, rails would raise an error when misconfigured like this.
>> I believe at present the presence or absence of the :secret key is
>> something which determines which approach to use, so it might require
>> a little bit of refactoring first.
>>
>>
>>
>> --
>> Cheers
>>
>> Koz
>>
>> >>
>>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---