Commit c56be7002d5bff816a45c4a679aa5ff2988237fa
1 parent
75570d37
Exists in
master
and in
29 other branches
ActionItem922: generate a unique session secret for each installation
Showing
1 changed file
with
12 additions
and
1 deletions
Show diff stats
config/environment.rb
| ... | ... | @@ -18,6 +18,17 @@ extra_controller_dirs = %w[ |
| 18 | 18 | app/controllers/public |
| 19 | 19 | ].map {|item| File.join(RAILS_ROOT, item) } |
| 20 | 20 | |
| 21 | +def noosfero_session_secret | |
| 22 | + file = File.join(File.dirname(__FILE__), 'session.secret') | |
| 23 | + if !File.exists?(file) | |
| 24 | + secret = (1..128).map { %w[0 1 2 3 4 5 6 7 8 9 a b c d e f][rand(16)] }.join('') | |
| 25 | + File.open(file, 'w') do |f| | |
| 26 | + f.puts secret | |
| 27 | + end | |
| 28 | + end | |
| 29 | + File.read(file).strip | |
| 30 | +end | |
| 31 | + | |
| 21 | 32 | Rails::Initializer.run do |config| |
| 22 | 33 | # Settings in config/environments/* take precedence those specified here |
| 23 | 34 | |
| ... | ... | @@ -51,7 +62,7 @@ Rails::Initializer.run do |config| |
| 51 | 62 | # no regular words or you'll be exposed to dictionary attacks. |
| 52 | 63 | config.action_controller.session = { |
| 53 | 64 | :session_key => '_noosfero_session', |
| 54 | - :secret => '7372009258e02886ca36278257637a008959504400f6286cd09133f6e9131d23460dd77e289bf99b480a3b4d017be0578b59335ce6a1c74e3644e37514926009' | |
| 65 | + :secret => noosfero_session_secret(), | |
| 55 | 66 | } |
| 56 | 67 | |
| 57 | 68 | # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper | ... | ... |