Emphasize the importance of a dictionary attack-proof secret for the cookie store

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8181 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 4 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 01f059f156..6de4d88ca0 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -22,7 +22,10 @@ require 'openssl'       # to generate the HMAC message digest
 # Session options:
 #   :secret   An application-wide key string or block returning a string
 #             called per generated digest. The block is called with the
-#             CGI::Session instance as an argument.
+#             CGI::Session instance as an argument. It's important that the
+#             secret is not vulnerable to a dictionary attack. Therefore,
+#             you should choose a secret consisting of random numbers and
+#             letters and preferably more than 30 characters.
 #
 #             Example:  :secret => '449fe2e7daee471bffae2fd8dc02313d'
 #                       :secret => Proc.new { User.current_user.secret_key }