Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When open-sourcing a live Rails app, is it dangerous to leave the session key secret in source control?

I've got a Rails app that's been running live for some time, and I'm planning to open source it in the near future. I'm wondering how dangerous it is to leave the session key store secret in source control while the app is live.

If it's dangerous, how do people usually handle this problem? I'd guess that it's easiest to just move the string to a text file that's ignored by the SCM, and read it in later.

Just for clarity, I'm talking about this:

# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random, 
# no regular words or you'll be exposed to dictionary attacks.
ActionController::Base.session = {
  :key         => '_application_session',
  :secret      => '(long, unique string)'
}

And while we're on the subject, is there anything else in a default Rails app that should be protected when open sourcing a live app?

like image 787
Robert Speicher Avatar asked Apr 17 '10 21:04

Robert Speicher


2 Answers

Flip the question around. Would you reuse a secret key from someone else's project that you just downloaded? Probaby not, and other smart users of your code won't either. Malicious users will then have a key to use as an attack in your main site, as well as against any users lazy enough to not change the key.

Other config files you might have which should not be shared include database.yml, s3.yml, amazon_s3.yml, etc. If you wouldn't mail it to a stranger, don't keep it in your scm when you unleash your code to the world.

like image 72
jdl Avatar answered Sep 18 '22 00:09

jdl


I'd put this into a config file. You'll probably have the need for some config settings anyway, so why don't you put it there and add a comment that this should be modified when the user installs the software.

like image 35
Patrick Cornelissen Avatar answered Sep 19 '22 00:09

Patrick Cornelissen