Jump to content

The ultimate community for Ruby on Rails developers.


Photo

Question regarding the secret token file


  • Please log in to reply
7 replies to this topic

#1 Stuart Hannig

Stuart Hannig

    Signalman

  • Members
  • 15 posts

Posted 24 August 2013 - 05:51 AM

This is in reference to the secret token file.

Reference: http://ruby.railstut...de-secret_token

 

Michael Hartll rightfully informs us to change the contents of this file to what he provided in the listing on that web page if we are uploading our code to a public repo. However, upon fetching and using code that has a dynamic security token file set like so, is it best practice to replace that file with a static security token once again (as long as our code isn't going back up to a public repo?

 

I ask because apparently the security token is set for encrypting session/cookie data. And it wouldn't be horrible if you kept it dynamic, but if you restart your server, then anyone who had a cookie or session running on the site won't be able to use it anymore. So it's in our best interest to set the security token to a static one correct?

 

I just wanted to double check.

 

What do you do?



#2 Jamie

Jamie

    Controller

  • Moderators
  • 114 posts
  • LocationThe UK

Posted 24 August 2013 - 05:34 PM

Right now it's static in my applications but if it's dynamic and it does change every now and then, the worst that would happen that I know is your users would have to login as cookies would not be associated any longer.

 

That's my understanding anyways!


Rails developer based in Newcastle, UK.
Web app owner - Twitter lover

#3 Rowel

Rowel

    Controller

  • Members
  • 109 posts

Posted 27 August 2013 - 05:34 PM

but if you restart your server, then anyone who had a cookie or session running on the site won't be able to use it anymore. So it's in our best interest to set the security token to a static one correct?

 

 

The way I read MH's code is, If you restart the server and the ".secret" file exists, it will just read it's content and reuse the token -- i.e. it will not create a brand new token. 

 

if the file ".secret" does not exist in your Rails root folder (brand new app, or you manually deleted the .secret file), then it will generate a new token for you, and then store the token into a newly created ".secret" file.  -- then users will have to re-login again as Jamie says. 

 

BTW, I'm a Rails beginner and I've been using MH's tutorial too, and currently on Chap.9 on my 2nd attempt.  (My 1st attempt, I only got to Chap.4 when I realized I need to learn Ruby first to really understand Rails.) 



#4 Ohm

Ohm

    Guard

  • Members
  • 186 posts
  • LocationCopenhagen

Posted 27 August 2013 - 07:22 PM

The way I read MH's code is, If you restart the server and the ".secret" file exists, it will just read it's content and reuse the token -- i.e. it will not create a brand new token. 

 

if the file ".secret" does not exist in your Rails root folder (brand new app, or you manually deleted the .secret file), then it will generate a new token for you, and then store the token into a newly created ".secret" file.  -- then users will have to re-login again as Jamie says. 

 

BTW, I'm a Rails beginner and I've been using MH's tutorial too, and currently on Chap.9 on my 2nd attempt.  (My 1st attempt, I only got to Chap.4 when I realized I need to learn Ruby first to really understand Rails.) 

 

You're right. We only create the .secret file, if it doesn't exist, and if it do exist, we just read from it.

 

You do not need to get this technical with the secret token. I just have (cut down to fit)

XXX::Application.config.secret_key_base = ENV['SECRET_TOKEN'] || 'c4d98...84'

This I am more than comfortable to push to a public repo, as long as I ensure that ENV['SECRET_TOKEN'] is always set in my production app. 


Blog: http://ohm.sh | Twitter: madsohm


#5 Rowel

Rowel

    Controller

  • Members
  • 109 posts

Posted 27 August 2013 - 08:18 PM

Thanks Ohm. 

 

Question:

Ok, I can set the ENV variable inside Rails console.

But when I go to Terminal and type env, I don't see the ENV variable I just created inside rails console.  Am I missing something?  

Is that ENV variable only available to the Rails app running? 



#6 Ohm

Ohm

    Guard

  • Members
  • 186 posts
  • LocationCopenhagen

Posted 27 August 2013 - 08:48 PM

ENV-variables are variables in the environment that Rails is run. E.g. in my terminal I can run env and see all the variables. When I run Ruby, I have the same variables in the ENV-array.

ohm@effie:~/ » env | grep RUBY_VERSION
RUBY_VERSION=ruby-2.0.0-p195
ohm@effie:~/ » ruby -e "p ENV['RUBY_VERSION']"
"ruby-2.0.0-p195"

When I run Rails, I will either have set the variables I want to use before or I can set them together with Rails

# Before
ohm@effie:~/ » export SECRET="my little secret"
ohm@effie:~/ » env | grep SECRET
"my little secret"
ohm@effie:~/ » rails s

# Together with
ohm@effie:~/ » SECRET="my little secret" rails s

To answer your question about whether the ENV-array is only available to the running app, no it is not

project> ENV['RUBY_VERSION']
=> "ruby-2.0.0-p195"
project> 

You can't however create entries in the ENV-array from the Rails console and have them available to the outside. That is not how they work.


Blog: http://ohm.sh | Twitter: madsohm


#7 Rowel

Rowel

    Controller

  • Members
  • 109 posts

Posted 27 August 2013 - 10:30 PM

I see. 

 

What I'm doing is opening a 2nd Tab in my Terminal, and on the 2nd terminal instance, I don't see the ENV variables I just created from the 1st Terminal window. 

 

But on the 1st Terminal window, the ENV variable exists. 

 

You can't however create entries in the ENV-array from the Rails console and have them available to the outside. That is not how they work.

 

Got it. 



#8 Ohm

Ohm

    Guard

  • Members
  • 186 posts
  • LocationCopenhagen

Posted 28 August 2013 - 04:58 AM

Sorry if I didn't make this clear.

 

ENV (Environment) variables comes from the environment, that is your bash, zsh, or whatever shell you use.

 

bash gets its environment variables from ~/.bashrc (among other files). If you want a variable to be globally set, you need to set it in this file.

 

When you set them on in the terminal, that is just writing as I did above, the variables will exist in only that instance of the terminal, they will be local to it. Setting them before running e.g. rails s, they will be local to only that application.


Blog: http://ohm.sh | Twitter: madsohm





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users