From 8a086c590fbc015584437f680b20c9a0fcc47f3d Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Wed, 21 Nov 2007 15:47:50 +0000
Subject: Emphasize the importance of a dictionary attack-proof secret for the
 cookie store

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8181 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_controller/session/cookie_store.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 01f059f156..6de4d88ca0 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -22,7 +22,10 @@ require 'openssl'       # to generate the HMAC message digest
 # Session options:
 #   :secret   An application-wide key string or block returning a string
 #             called per generated digest. The block is called with the
-#             CGI::Session instance as an argument.
+#             CGI::Session instance as an argument. It's important that the
+#             secret is not vulnerable to a dictionary attack. Therefore,
+#             you should choose a secret consisting of random numbers and
+#             letters and preferably more than 30 characters.
 #
 #             Example:  :secret => '449fe2e7daee471bffae2fd8dc02313d'
 #                       :secret => Proc.new { User.current_user.secret_key }
-- 
cgit v1.2.3