68

Possible Duplicate:
No secret option provided to Rack::Session::Cookie warning?

While creating scaffolding, I got this error today:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie. This poses a security threat. It is strongly recommended that you provide a secret to prevent exploits that may be possible from crafted cookies. This will not be supported in future versions of Rack, and future versions will even invalidate your existing user cookies.

But the key is set in config/initializers/secret_token.rb.

Am I supposed to do anything or is this just a standard warning which I can safely ignore since I already have the key?

Community
  • 1
  • 1
iCyborg
  • 4,699
  • 15
  • 53
  • 84
  • 3
    Just got this as well, after updating Rails 3.2.9 -> 3.2.10 which also updated Rack 1.4.1 -> 1.4.2. – Henrik N Jan 07 '13 at 07:59
  • 13
    More info here: http://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning – Henrik N Jan 07 '13 at 08:00

2 Answers2

23

This is a known issue under discussion. It is due to the upgrade to Rack 1.4.2 and your choices. Until Rails is updated with a solution, your should ignore the error or downgrade to Rack 1.4.1, according to the people that know ;)

Leopd
  • 41,333
  • 31
  • 129
  • 167
Jonas Schubert Erlandsson
  • 3,910
  • 1
  • 24
  • 37
3

According to the discussion in some other sites, this warning is popping up as Rails is using Rack cookies in a different way than intended. It should be ok to just ignore this warning for now until there is a final agreement on how to handle this issue and a fix in place.

Sri
  • 2,233
  • 4
  • 31
  • 55