[myexperiment-hackers] [2846] trunk: added session and cookie secrets to the configuration file

[noreply]

Revision

2846

Author

dgc

Date

2011-11-28 09:23:18 -0500 (Mon, 28 Nov 2011)

Log Message

added session and cookie secrets to the configuration file

Modified Paths

• trunk/config/default_settings.yml
• trunk/config/initializers/cookie_verification_secret.rb
• trunk/config/initializers/session_store.rb
• trunk/lib/conf.rb

Diff

Modified: trunk/config/default_settings.yml (2845 => 2846)

--- trunk/config/default_settings.yml	2011-11-28 12:55:20 UTC (rev 2845)
+++ trunk/config/default_settings.yml	2011-11-28 14:23:18 UTC (rev 2846)
@@ -330,6 +330,19 @@
 
 secret_word: our_secret_word_that_no_one_knows
 
+# session store secret - This secret key is used for session store integrity.
+#
+#                        (see config/initializers/session_store.rb)
+
+session_store_secret: dc9f8b03a18fc2b7fa858bf660d9685f1637ed67c1ff0fd5c39978ec2f22ccca8201b32d89aeada76722b4ee5fa3df9df7400b37995636876a7140f0382231ef
+
+# cookie verifier secret - This secret key is used to verify cookie session
+#                          data integrity.
+#                          
+#                          (see config/initializers/cookie_verification_secret.rb)
+
+cookie_verifier_secret: 64a59b43e7aa93e55a5db119180a2973b584555f71e87388de5c27682407987446a0293dab64f5913cb19ead617893546b3646c98672905a38e6dfbfb5871034
+
 # google_web_analytics - Enable this to enable Google web analytics.
 
 google_web_analytics:

Modified: trunk/config/initializers/cookie_verification_secret.rb (2845 => 2846)

--- trunk/config/initializers/cookie_verification_secret.rb	2011-11-28 12:55:20 UTC (rev 2845)
+++ trunk/config/initializers/cookie_verification_secret.rb	2011-11-28 14:23:18 UTC (rev 2846)
@@ -4,4 +4,4 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random, 
 # no regular words or you'll be exposed to dictionary attacks.
-ActionController::Base.cookie_verifier_secret = '64a59b43e7aa93e55a5db119180a2973b584555f71e87388de5c27682407987446a0293dab64f5913cb19ead617893546b3646c98672905a38e6dfbfb5871034';
+ActionController::Base.cookie_verifier_secret = Conf.cookie_verifier_secret

Modified: trunk/config/initializers/session_store.rb (2845 => 2846)

--- trunk/config/initializers/session_store.rb	2011-11-28 12:55:20 UTC (rev 2845)
+++ trunk/config/initializers/session_store.rb	2011-11-28 14:23:18 UTC (rev 2846)
@@ -5,8 +5,8 @@
 # Make sure the secret is at least 30 characters and all random, 
 # no regular words or you'll be exposed to dictionary attacks.
 ActionController::Base.session = {
-  :key         => '_empty2311_session',
-  :secret      => 'dc9f8b03a18fc2b7fa858bf660d9685f1637ed67c1ff0fd5c39978ec2f22ccca8201b32d89aeada76722b4ee5fa3df9df7400b37995636876a7140f0382231ef'
+  :key         => 'myexperiment_session',
+  :secret      => Conf.session_store_secret
 }
 
 # Use the database for sessions instead of the cookie-based default,

Modified: trunk/lib/conf.rb (2845 => 2846)

--- trunk/lib/conf.rb	2011-11-28 12:55:20 UTC (rev 2845)
+++ trunk/lib/conf.rb	2011-11-28 14:23:18 UTC (rev 2846)
@@ -169,6 +169,14 @@
     self.fetch_entry('recaptcha_private')
   end
 
+  def self.session_store_secret
+    self.fetch_entry('session_store_secret')
+  end
+
+  def self.cookie_verifier_secret
+    self.fetch_entry('cookie_verifier_secret')
+  end
+
   def self.layouts
     #TODO: Perhaps implement code that can load different/extra settings files based on current environment
     layouts = self.fetch_entry('layouts')