I would rather have the system accept multiple tokens at one time so you can rotate them on a production server. This is easily something you could set up via cron and if an attacker gets a token it would only be valid for hours instead of days/months.
Heroku would love to rotate your tokens for you but right now we can't. When you serve a page and then change a token then any forms that page submits will be invalid to the next server with the new token. — Richard Schneeman On Sat, Mar 29, 2014 at 8:24 AM, Bert Goethals <bertgoeth...@gmail.com> wrote: > Valid point. However, security is never a 100%. > I do think that N secret tokens is a "safer" situation than just one. > Also note, that any future tenants would be safe from "remembering" the base > token. > I'll give this a shot this weekend. > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
