stackoom
  简体   繁体   中英

Rails secret token

 原文  2010-11-22 01:07:01       ruby-on-rails/ security

Question

I'm quite confused what is secret_token used for in Rails. Can anyone explain what it is used for? Is it OK to put this token in a public source repository and use it in production, or I should change it before deploying my app to prevent some kinds of attacks?

1 answers

solution1
 31 ACCPTED  2010-11-24 03:39:56

Answering my own question - secret_token is used to prevent cookie tampering in Rails. Every cookie has a checksum saved with it, so users won't modify cookie contents (and change saved user id to steal someone's account, for example). The checksum is based on cookie contents and secret_token, so if you are using cookie based sessions you should always make sure your secret_token is really secret, otherwise you can't trust that anything you put into session came back unchanged.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Rails: Secret Token Error Secret Token Error in Rails App Rails 6 secret_key_base vs secret_token Does Rails 4.2 use secret_token? rails managing secret_token and git pull rails secret token internal server error Rails rspec and cucumber Secret token is empty Ruby on Rails config.secret_token error Does Rails secret token have to be unique for each rails app? What is the Rails secret token and how do I set it?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM