aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source
diff options
context:
space:
mode:
authorJustin George <justin.george@gmail.com>2013-07-30 12:38:44 -0700
committerJustin George <justin.george@gmail.com>2013-07-30 12:38:44 -0700
commit72e53910a0811d2d95011bce0169d9a36ddbe851 (patch)
treea68b0ca2e62b182cbdc74372f5acf8b23f93f522 /guides/source
parente14039eacb7448399a5942751ef38f3a051b5ea4 (diff)
downloadrails-72e53910a0811d2d95011bce0169d9a36ddbe851.tar.gz
rails-72e53910a0811d2d95011bce0169d9a36ddbe851.tar.bz2
rails-72e53910a0811d2d95011bce0169d9a36ddbe851.zip
update guide to reflect default HMAC SHA1 in MessageVerifier used in SignedCookieStore [ci skip]
Diffstat (limited to 'guides/source')
-rw-r--r--guides/source/security.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index ad0546810d..4bc7902ef6 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -93,7 +93,7 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves
* The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.
-That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_.
+That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA1, for compatibility, but could be configured to SHA512 for additional confidence). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_, and consider using the stronger hash algorithm if your Ruby implementation supports it.
`config.secret_key_base` is used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get `config.secret_key_base` initialized to a random key in `config/initializers/secret_token.rb`, e.g.: