Rails core - Apr 2010 - Rails 3 (latest git): "Missing cookie signing secret"

It seems obvious, but I could not find anything using Google. I DID
find articles like
http://m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3,
however, that doesn''t help - I KNOW what it''s supposed to be
used for,
but I cannot figure out how to SET the secret.  I have a file config/
initializers/cookie_verification_secret.rb which sets
Rails.application.config.cookie_secret, which I thought should be
what''s asked for? Anyway, tried to set
Rails.application.config.signing_secret in the same file, which didn''t
help.

Grep-ing through all of the rails3 sources shows file actionpack/lib/
action_controller/metal/cookies.rb, which says config.cookie_secret IS
the signing_secret.

1) In that case, is it really necessary to have two names for one and
the same thing?

2) Any idea why I get the app error with this message? I''m in the
process of changing from authlogic to devise, but until a few minutes
ago I at least got the homepage. Not sure how devise could be the
culprit but maybe it is.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

It happens in devise/lib/devise/strategies/rememberable.rb, line
  @remember_cookie ||= cookies.signed[remember_key]

stack trace (abridged):
actionpack/lib/action_dispatch/middleware/cookies.rb:169:in
`initialize''
actionpack/lib/action_dispatch/middleware/cookies.rb:132:in `new''
actionpack/lib/action_dispatch/middleware/cookies.rb:132:in `signed''
devise/strategies/rememberable.rb:35:in `remember_cookie''
devise/strategies/rememberable.rb:12:in `valid?''



On Apr 5, 11:05 am, "michael.hasenst...@googlemail.com"
<michael.hasenst...@googlemail.com> wrote:
> It seems obvious, but I could not find anything using Google. I DID
> find articles
likehttp://m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3,
> however, that doesn''t help - I KNOW what it''s supposed to
be used for,
> but I cannot figure out how to SET the secret.  I have a file config/
> initializers/cookie_verification_secret.rb which sets
> Rails.application.config.cookie_secret, which I thought should be
> what''s asked for? Anyway, tried to set
> Rails.application.config.signing_secret in the same file, which
didn''t
> help.
>
> Grep-ing through all of the rails3 sources shows file actionpack/lib/
> action_controller/metal/cookies.rb, which says config.cookie_secret IS
> the signing_secret.
>
> 1) In that case, is it really necessary to have two names for one and
> the same thing?
>
> 2) Any idea why I get the app error with this message? I''m in the
> process of changing from authlogic to devise, but until a few minutes
> ago I at least got the homepage. Not sure how devise could be the
> culprit but maybe it is.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

In order to debug I changed the SignedCookieJar class initializer to
include a log statement.

  def initialize(parent_jar, config = {})
--> Rails.logger.debug "CONFIG: #{config.inspect}"
    raise ''Missing cookie signing secret'' if
config[:signing_secret].blank?
    @parent_jar = parent_jar
    @config = config
    @verifier ActiveSupport::MessageVerifier.new(config[:signing_secret])
  end

The output in the logfile is
CONFIG: {}

I have a file config/initializers/cookie_verification_secret.rb with a
content of

Rails.application.config.cookie_secret = ''...(secret)...''

Rails 3 Beta2+ (it''s the latest from github) bug?


> <michael.hasenst...@googlemail.com> wrote:
> > It seems obvious, but I could not find anything using Google. I DID
> > find articles
likehttp://m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3,
> > however, that doesn''t help - I KNOW what it''s
supposed to be used for,
> > but I cannot figure out how to SET the secret.  I have a file config/
> > initializers/cookie_verification_secret.rb which sets
> > Rails.application.config.cookie_secret, which I thought should be
> > what''s asked for? Anyway, tried to set
> > Rails.application.config.signing_secret in the same file, which
didn''t
> > help.
>
> > Grep-ing through all of the rails3 sources shows file actionpack/lib/
> > action_controller/metal/cookies.rb, which says config.cookie_secret IS
> > the signing_secret.
>
> > 1) In that case, is it really necessary to have two names for one and
> > the same thing?
>
> > 2) Any idea why I get the app error with this message? I''m in
the
> > process of changing from authlogic to devise, but until a few minutes
> > ago I at least got the homepage. Not sure how devise could be the
> > culprit but maybe it is.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

I just pulled the latest commits from Rails master and it seems this is
fixed now. You now need to define the relevant configuration like this:

Rails.application.config.session_store :cookie_store, :key =>
''_appname_session''
Rails.application.config.secret_token = ''secret''

Omit ''Rails.application.'' if you''re defining in
application.rb.

On Mon, Apr 5, 2010 at 3:11 PM, michael.hasenstein@googlemail.com <
michael.hasenstein@googlemail.com> wrote:
> In order to debug I changed the SignedCookieJar class initializer to
> include a log statement.
>
>  def initialize(parent_jar, config = {})
> --> Rails.logger.debug "CONFIG: #{config.inspect}"
>    raise ''Missing cookie signing secret'' if
> config[:signing_secret].blank?
>    @parent_jar = parent_jar
>    @config = config
>    @verifier >
ActiveSupport::MessageVerifier.new(config[:signing_secret])
>  end
>
> The output in the logfile is
> CONFIG: {}
>
> I have a file config/initializers/cookie_verification_secret.rb with a
> content of
>
> Rails.application.config.cookie_secret = ''...(secret)...''
>
> Rails 3 Beta2+ (it''s the latest from github) bug?
>
>
>
> > <michael.hasenst...@googlemail.com> wrote:
> > > It seems obvious, but I could not find anything using Google. I
DID
> > > find articles likehttp://
> m.onkey.org/2010/2/5/signed-and-permanent-cookies-in-rails-3,
> > > however, that doesn''t help - I KNOW what it''s
supposed to be used for,
> > > but I cannot figure out how to SET the secret.  I have a file
config/
> > > initializers/cookie_verification_secret.rb which sets
> > > Rails.application.config.cookie_secret, which I thought should be
> > > what''s asked for? Anyway, tried to set
> > > Rails.application.config.signing_secret in the same file, which
didn''t
> > > help.
> >
> > > Grep-ing through all of the rails3 sources shows file
actionpack/lib/
> > > action_controller/metal/cookies.rb, which says
config.cookie_secret IS
> > > the signing_secret.
> >
> > > 1) In that case, is it really necessary to have two names for one
and
> > > the same thing?
> >
> > > 2) Any idea why I get the app error with this message?
I''m in the
> > > process of changing from authlogic to devise, but until a few
minutes
> > > ago I at least got the homepage. Not sure how devise could be the
> > > culprit but maybe it is.
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> To unsubscribe from this group, send email to
>
rubyonrails-core+unsubscribe@googlegroups.com<rubyonrails-core%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-core?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

Yes, today''s change fixed it.


On Apr 5, 3:42 pm, Rizwan Reza <rizwanr...@gmail.com>
wrote:
> I just pulled the latest commits from Rails master and it seems this is
> fixed now. You now need to define the relevant configuration like this:
>
> Rails.application.config.session_store :cookie_store, :key =>
> ''_appname_session''
> Rails.application.config.secret_token = ''secret''
>
> Omit ''Rails.application.'' if you''re defining in
application.rb.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

Is this configuration approach due to be changing?

Still getting conflicting deprec notices on the cookie secret and I''m
not sure on how we should define session domains now:

config.action_dispatch.session = { :key / :domain / :secret } in
application.rb? Initializers? Both? :)

Kee

On Apr 5, 6:43 pm, "michael.hasenst...@googlemail.com"
<michael.hasenst...@googlemail.com> wrote:
> Yes, today''s change fixed it.
>
> On Apr 5, 3:42 pm, Rizwan Reza <rizwanr...@gmail.com> wrote:
>
>
>
> > I just pulled the latest commits from Rails master and it seems this
is
> > fixed now. You now need to define the relevant configuration like
this:
>
> > Rails.application.config.session_store :cookie_store, :key =>
> > ''_appname_session''
> > Rails.application.config.secret_token = ''secret''
>
> > Omit ''Rails.application.'' if you''re
defining in application.rb.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.