[Rails-core] Should the secret_token.rb be added to the .gitignore?

Following the recent Rails vulnerability, should the secret_token.rb be added by default to the .gitignore? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonr

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

That would break essentially all rails applications that uses a git-based deploy flow, such as Heroku and many other cap recipes. What might be a good idea though - is to use different secret token for each environment, and allow that to be specified through an ENV variable, like how the ActiveRec

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

On Friday, 11 January 2013 at 8:56 PM, Weston Platter wrote: > Following the recent Rails vulnerability, should the secret_token.rb be added > by default to the .gitignore? > > > This sits in the same camp as database.yml, adding it to the gitignore inhibits development (the app won't bo

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

On Friday, 11 January 2013 at 9:04 PM, Godfrey Chan wrote: > That would break essentially all rails applications that uses a git-based > deploy flow, such as Heroku and many other cap recipes. > > What might be a good idea though - is to use different secret token for each > environment, and all

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Em 11-01-2013 06:05, Michael Koziarski escreveu: On Friday, 11 January 2013 at 8:56 PM, Weston Platter wrote: Following the recent Rails vulnerability, should the secret_token.rb be added by default to the .gitignore? This sits in the same camp as database.yml, adding it to the gitignore inhi

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

I've talked at length with developers in Heroku, we're interested in making the default security of new Rails apps better out of the box. I know there is a much larger discussion going on and I believe there are one or more people actively looking into the options. I would like to work with a

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

just looked in the application which I just workinig on and indeed I missed this securty_token.rb thingy though I know about it. PLEASE just make the overall setup more secure. for example development + test could use a SecureRandom.hex(64) as security token and production needs to do something ma

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Richard, That's overall the way I would go too, with two changes. 1. Name the environment variable RAILS_SECRET_TOKEN - i.e., prefixed with RAILS_ - since an application may have many secret tokens unrelated to session cookies. Environment variables related to a given library or framework ough

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

@schneems. @jay. Good ideas. A fear that I have is that these conventions are Heroku specific, and not deployment agnostic. This feels enterprisely or Microsoft-ishy (or this feeling could be my own emotional baggage). To make this a Rails deployment convention and not just a Heroku, maybe mak

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

It's only Heroku-specific in the sense that Heroku basically follows http://www.12factor.net/ ;) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from t

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Weston, I see using environment variables as the interface to configure your application as the anti-Microsoft. As the Unix. It is simple to implement in both the infrastructure (if you are implementing your own) and in your application. The convention is not not Heroku-specific; it is specific t

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Looks like can set ENV variables from Capistrano fairly trivially: http://craiccomputing.blogspot.com/2009/08/capistrano-and-environment-variables.html API docs for Capistrano config: http://rubydoc.info/github/capistrano/capistrano/master/Capistrano/Configuration/Actions/Invocation -- Ri

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Hi Jay, I had the same idea last week to "gracefully" switch sessions by setting a 2nd secret_token. I saw your post over the weekend so decided to put my extension into a gem. You can grab the gem here ,

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Another option would be to add support for Procfile and/or .env files, either via Foreman, or integrating function similar to the dotenv gem (https://github.com/bkeepers/dotenv). The .env files offer a simple way to handle environment variables, and the Procfile simplifes developing application

Re: [Rails-core] Should the secret_token.rb be added to the .gitignore?

Yeah, it would be awesome to see that out-of-the-box in Rails. -- LAILSON BANDEIRA http://lailson.me/ On Jan 14, 2013, at 6:26 PM, mateo wrote: > Another option would be to add support for Procfile and/or .env files, either > via Foreman, or integrating function similar to the dotenv gem > (