Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sinatra/1.4.3 use Rack::Session::Cookie warning

Tags:

ruby

session

sinatra

my configuration code

require 'sinatra'

#set :environment, :production
enable :sessions
enable :logging
set run: true

case
  when production?
    set port: 8081
  when development?
    require 'sinatra/reloader'
    require 'better_errors'
    use BetterErrors::Middleware
    BetterErrors.application_root = __dir__
end

use Rack::Session::Cookie, key: 'N&wedhSDF',
    domain: "localhost",
    path: '/',
    expire_after: 14400,
    secret: '*&(^B234'

get '/' do
  erb :hello
end

It still shows a warning:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.

but it doesn't show up on production

the question is, why does it still show the warning even if the Rack::Session::Cookie already set?

like image 733
Kokizzu Avatar asked Aug 04 '13 15:08

Kokizzu

1 Answers

You are using both

enable :sessions

which makes Sinatra setup cookie based sessions, and

use Rack::Session::Cookie, ...

which also adds sessions to your app, so you end up with two instances of Rack::Session::Cookie in your middleware stack.

The warning is being generated by the session middleware included by Sinatra. By default Sinatra doesn’t create a session secret when running in the development environment (in classic mode at least, it does for modular apps), and so Rack generates the warning in development.

You should only need one of the two ways of enabling sessions, using two together could result in them interacting in unexpected ways.

To avoid the warning, you can explicitly set a secret for the Sinatra session with the session_secret option:

enable :sessions
set :session_secret, '*&(^B234'

You can also pass the options hash as an argument when enabling sessions. Instead of enable :sessions, do this:

set :sessions, key: 'N&wedhSDF',
  domain: "localhost",
  path: '/',
  expire_after: 14400,
  secret: '*&(^B234'
like image 98
matt Avatar answered Oct 27 '22 14:10

matt
Sign in to Comment

Related questions

How to add aria-label attribute to a link in a view?
Financial Charts / Graphs in Ruby or Python
Ruby Create Recursive Directory Tree
Dynamic class loading: Is there a "method_missing" for classes in Ruby?
Proper Assert_Raise Unit Testing and Use of Exception Class
Parsing a date that can be in several formats in python
How do I check if a folder exists in Chef?
Change Time zone in pure ruby (not rails)
Ruby => operator [duplicate]
Running ActiveRecord validations without saving
How to rescue timeout issues (Ruby, Rails)
Can I do Sinatra program without restart server?
Why won't Heroku accept my Gemfile.lock in Windows?
What is the difference between default and null in migration
Ruby mysql2 gem compiled for wrong mysql client library version
Marking an unused block variable
find array element
Heroku: No Rakefile found (but works locally)
create a range of months between two dates in ruby
strong parameters not accepting array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!