没有向 Rack: : Session: : Cookie 警告提供秘密选项?

我在 Fedora 17下运行 Rails 3.2.3和 Ruby 1.9。当我运行 rails s时,我会收到这个警告,那么我该如何修复呢?

安全警告: 没有为 Rack: : Session: : Cookie 提供秘密选项。 这构成安全威胁。强烈建议您 提供一个秘密,以防止利用可能从精心制作 这在 Rack 的未来版本中将不受支持,并且 未来的版本甚至会使您现有的用户 cookie 失效。

25692 次浏览
小开

Downgrading to rack 1.4.1 should be sufficient to solve this for now. There's an issue open for this and I just submitted a pull request that seems to fix it for me. In any case, watch the issue, and you should be able to upgrade to rack 1.4.2 after this is fixed.

Apparently, there's ongoing discussion about how to fix this on another issue. You'll have to either downgrade to 1.4.1, ignore it, or figure out your own fix until this is dealt with (and backported, if that even happens).

小开

Reading the discussion based on tehgeekmeisters answer, this warning is popping up as Rails is using Rack cookies in a different way than intended. It should be ok to just ignore this warning for now until there is a final agreement on how to handle this issue and a fix in place.

小开
最佳答案

This is a Rails bug, as the subclass is violating the superclass API contract.

The warning can be safely ignored by Rails users.

(https://github.com/rack/rack/issues/485#issuecomment-11956708, emphasis added)

Confirmation on the rails bug discussion: https://github.com/rails/rails/issues/7372#issuecomment-11981397

小开

An issue has been opened in Github https://github.com/rails/rails/issues/8789. It appears that a bug involving Rails 3.2.10 with Rack 1.4.2 is causing this. IMO, it can be safely ignored till the issue is resolved.

EDIT: This issue has been resolved in Rails 3.2.11.

小开

This issue has been worked around in the just released Rails 3.2.11.

Log: https://github.com/rails/rails/commits/v3.2.11

Commit: https://github.com/rails/rails/commit/95fe9ef945a35f56fa1c3ef356aec4a3b868937c

小开

rails 3.2.9 - ruby 1.9.3p125 (2012-02-16 revision 34643) [i686-linux]

Hello everyone, the following has worked for me, it may work for you.


/usr/local/lib/ruby/gems/1.9.1/gems/actionpack-3.2.9/lib/action_dispatch/middleware/session/abstract_store.rb
module Compatibility
def initialize(app, options = {})
options[:key]     ||= '_session_id'
#fixed warning - SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
options[:secret] ||= Rails.application.config.secret_token
super
end
end
小开

rails update to 3.2.13 ,can solve this question.


提交答案