Bug #2109: session_token should not be static - Foreman

Actions

Copy link

Bug #2109

closed

session_token should not be static

Added by Sandor Szücs over 11 years ago. Updated over 11 years ago.

Status:

Closed

Priority:

Immediate

Assignee:

Dominic Cleal

Category:

Users, Roles and Permissions

Target version:

1.1

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

The session token of rails app should not be public available and static for all installations.

http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason

Solution:
Generate the session token using SecureRandom, maybe as Rake Task, and add it to the installation and upgrade guides.
if RUBY_VERSION >= 1.9
require 'securerandom'
SecureRandom.urlsafe_base64(64)[0..63]
#=> "sZT3OdJVpHeIdbH5O8YLflOBXJbOv2ZY76GqsN1Clg1c1aiOzcMFZzKrRfUtJDTS"
else
...
end

Files

security.rake

1.22 KB

put it into lib/tasks/

Sandor Szücs, 01/05/2013 08:05 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Custom queries

Bug #2109

session_token should not be static

Updated by Ohad Levy over 11 years ago

Updated by Sandor Szücs over 11 years ago

Updated by Dominic Cleal over 11 years ago

Updated by Dominic Cleal over 11 years ago

Updated by Sandor Szücs over 11 years ago

Updated by Dominic Cleal over 11 years ago

Updated by Ohad Levy over 11 years ago