Introduce SecretKeyGenerator for more secure session secrets than CGI::Session's pseudo-random id generator. Consider extracting to Active Support later. Closes #10286.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8229 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 5 insertions, 1 deletions

diff --git a/railties/lib/rails_generator/generators/applications/app/app_generator.rb b/railties/lib/rails_generator/generators/applications/app/app_generator.rb
index 55c8bf3239..02d9b0fb88 100644
--- a/railties/lib/rails_generator/generators/applications/app/app_generator.rb
+++ b/railties/lib/rails_generator/generators/applications/app/app_generator.rb
@@ -1,5 +1,6 @@
 require 'rbconfig'
 require 'digest/md5' 
+require 'rails_generator/secret_key_generator'
 
 class AppGenerator < Rails::Generator::Base
   DEFAULT_SHEBANG = File.join(Config::CONFIG['bindir'],
@@ -33,6 +34,9 @@ class AppGenerator < Rails::Generator::Base
     md5 << String($$)
     md5 << @app_name
 
+    # Do our best to generate a secure secret key for CookieStore
+    secret = Rails::SecretKeyGenerator.new(@app_name).generate_secret
+
     record do |m|
       # Root directory and all subdirectories.
       m.directory ''
@@ -61,7 +65,7 @@ class AppGenerator < Rails::Generator::Base
 
       # Environments
       m.file "environments/boot.rb",    "config/boot.rb"
-      m.template "environments/environment.rb", "config/environment.rb", :assigns => { :freeze => options[:freeze], :app_name => @app_name, :app_secret => md5.hexdigest }
+      m.template "environments/environment.rb", "config/environment.rb", :assigns => { :freeze => options[:freeze], :app_name => @app_name, :app_secret => secret }
       m.file "environments/production.rb",  "config/environments/production.rb"
       m.file "environments/development.rb", "config/environments/development.rb"
       m.file "environments/test.rb",        "config/environments/test.rb"