diff options
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_controller/session/cookie_store.rb | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 6de4d88ca0..81092882f7 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -53,9 +53,7 @@ class CGI::Session::CookieStore end # The secret option is required. - if options['secret'].blank? - raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' - end + ensure_secret_secure(options['secret']) # Keep the session and its secret on hand so we can read and write cookies. @session, @secret = session, options['secret'] @@ -78,6 +76,22 @@ class CGI::Session::CookieStore options['no_cookies'] = true end + # To prevent users from using something insecure like "Password" we make sure that the + # secret they've provided is at least 30 characters in length. + def ensure_secret_secure(secret) + # There's no way we can do this check if they've provided a proc for the + # secret. + return true if secret.is_a?(Proc) + + if secret.blank? + raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' + end + + if secret.length < 30 + raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]" + end + end + # Restore session data from the cookie. def restore @original = read_cookie |