No secret option provided to Rack::Session::Cookie

最新推荐文章于 2018-06-27 14:56:23 发布

原创最新推荐文章于 2018-06-27 14:56:23 发布 · 241 阅读

0 ·

CC 4.0 BY-SA版权

rails ruby 专栏收录该内容

1 篇文章

订阅专栏

本文解决了一个在使用Rails框架时遇到的安全警告问题，该警告提示没有为Rack::Session::Cookie提供密钥选项，存在安全隐患。文章提供了具体的解决方案，通过在初始化方法中设置默认密钥来避免潜在的安全风险。

执行rails s时出现如下错误：

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
        This poses a security threat. It is strongly recommended that you
        provide a secret to prevent exploits that may be possible from crafted
        cookies. This will not be supported in future versions of Rack, and
        future versions will even invalidate your existing user cookies.

做如下修改
/usr/lib/ruby/gems/1.9.1/gems/actionpack-3.2.9/lib/action_dispatch/middleware/session/abstract_store.rb

module Compatibility
      def initialize(app, options = {})
        options[:key] ||= '_session_id'
        options[:secret] ||= Rails.application.config.secret_token # insert this line, only a temp solution
        super
      end