Navigation

Changeset 8200

Timestamp:

11/24/07 22:41:16 (11 months ago)

Author:

nzkoz

Message:

Improve error messages when providing a secret that is too short. Closes #10238 [Henrik N]

Files:

r8184	r8200
26	26	# secret is not vulnerable to a dictionary attack. Therefore,
27	27	# you should choose a secret consisting of random numbers and
28		# letters and ~~preferably~~ more than 30 characters.
	28	# letters and more than 30 characters.
29	29	#
30	30	# Example: :secret => '449fe2e7daee471bffae2fd8dc02313d'
…	…
39	39	# Cookies can typically store 4096 bytes.
40	40	MAX = 4096
	41	SECRET_MIN_LENGTH = 30 # characters
41	42
42	43	# Raised when storing more than 4K of session data.
…	…
85	86
86	87	if secret.blank?
87		raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
	88	raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb}
88	89	end
89	90
90		if secret.length < 30
91		raise ArgumentError, ~~"Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]"~~
	91	if secret.length < SECRET_MIN_LENGTH
	92	raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}". The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters}
92	93	end
93	94	end