Hi,
Following Jonathan Weiss''s recent talk at RubyEnRails on security, I
wanted to ask if it might be a good idea to do something like this by
default in the app template? Obviously this is aimed specifically at
developers doing open-source apps.
# Replace this file with a linked version in production, or remove
the if
# statement if your session_store.rb file is never made public.
if Rails.env == ''production''
raise "Need to link the proper session key!"
else
ActionController::Base.session = {
:key => ''_my_apps_session'',
:secret => ''oh-so-secret''
}
end
Cheers,
Eloy
Eloy Duran a écrit :> Hi, > > Following Jonathan Weiss''s recent talk at RubyEnRails on security, I > wanted to ask if it might be a good idea to do something like this by > default in the app template? Obviously this is aimed specifically at > developers doing open-source apps. > > # Replace this file with a linked version in production, or remove > the if > # statement if your session_store.rb file is never made public. > if Rails.env == ''production'' > raise "Need to link the proper session key!" > else > ActionController::Base.session = { > :key => ''_my_apps_session'', > :secret => ''oh-so-secret'' > } > end >It''s great to force new deployement to define his own session store, but if your application can''t use CookieSessionStore because more than 4Ko or you want use ActiveRecordSessionStore but need migration, you can''t help to inform that. I think that all open project need define a good process to update or change the session store. -- Cyril Mougel http://blog.shingara.fr/
Things should be optimized for the majority. And majority of apps aren''t open sourced. Instead, the problem can be alleviated by appropriate documentation in the generated initializer. On Thu, Nov 12, 2009 at 10:10 AM, Eloy Duran <eloy.de.enige@gmail.com> wrote:> > Hi, > > Following Jonathan Weiss''s recent talk at RubyEnRails on security, I > wanted to ask if it might be a good idea to do something like this by > default in the app template? Obviously this is aimed specifically at > developers doing open-source apps. > > # Replace this file with a linked version in production, or remove > the if > # statement if your session_store.rb file is never made public. > if Rails.env == ''production'' > raise "Need to link the proper session key!" > else > ActionController::Base.session = { > :key => ''_my_apps_session'', > :secret => ''oh-so-secret'' > } > end > > Cheers, > Eloy > > > >-- Cheers! - Pratik http://m.onkey.org | http://twitter.com/lifo
True, that was my gripe against it as well. Although I do think that adding documentation won''t help much, it''s better than nothing. I''ll push something to doc-rails tomorrow, unless someone beats me to it :) Sent from my iPhone On 12 nov 2009, at 17:03, Pratik <pratiknaik@gmail.com> wrote:> > Things should be optimized for the majority. And majority of apps > aren''t open sourced. Instead, the problem can be alleviated by > appropriate documentation in the generated initializer. > > On Thu, Nov 12, 2009 at 10:10 AM, Eloy Duran > <eloy.de.enige@gmail.com> wrote: >> >> Hi, >> >> Following Jonathan Weiss''s recent talk at RubyEnRails on security, I >> wanted to ask if it might be a good idea to do something like this by >> default in the app template? Obviously this is aimed specifically at >> developers doing open-source apps. >> >> # Replace this file with a linked version in production, or remove >> the if >> # statement if your session_store.rb file is never made public. >> if Rails.env == ''production'' >> raise "Need to link the proper session key!" >> else >> ActionController::Base.session = { >> :key => ''_my_apps_session'', >> :secret => ''oh-so-secret'' >> } >> end >> >> Cheers, >> Eloy >> >>> >> > > > > -- > Cheers! > - Pratik > http://m.onkey.org | http://twitter.com/lifo > > >