111

I am running Rails 3.2.3, Ruby 1.9 under Fedora 17. I get this warning, when I run rails s, and how do I fix?

SECURITY WARNING: No secret option provided to Rack::Session::Cookie. This poses a security threat. It is strongly recommended that you provide a secret to prevent exploits that may be possible from crafted cookies. This will not be supported in future versions of Rack, and future versions will even invalidate your existing user cookies.

Yo Ludke
  • 2,149
  • 2
  • 23
  • 38
bigdaveyl
  • 1,391
  • 2
  • 9
  • 17

7 Answers7

86

This is a Rails bug, as the subclass is violating the superclass API contract.

The warning can be safely ignored by Rails users.

(https://github.com/rack/rack/issues/485#issuecomment-11956708, emphasis added)

Confirmation on the rails bug discussion: https://github.com/rails/rails/issues/7372#issuecomment-11981397

Austin Lin
  • 2,545
  • 17
  • 17
20

Reading the discussion based on tehgeekmeisters answer, this warning is popping up as Rails is using Rack cookies in a different way than intended. It should be ok to just ignore this warning for now until there is a final agreement on how to handle this issue and a fix in place.

iltempo
  • 15,718
  • 8
  • 61
  • 72
17

This issue has been worked around in the just released Rails 3.2.11.

Log: https://github.com/rails/rails/commits/v3.2.11

Commit: https://github.com/rails/rails/commit/95fe9ef945a35f56fa1c3ef356aec4a3b868937c

Henrik N
  • 15,786
  • 5
  • 82
  • 131
  • 1
    @Dreyfuzz Note that 3.2.11 is later than 3.2.2 (since it's 11, not 1.1). So just upgrading Rails may fix your problem. – Henrik N Apr 16 '13 at 11:49
  • Yeah, for some reason I got stuck thinking in decimal notation where 3.2.2 is the same as 3.2.20. Thought I was on the bleeding edge there for a minute! – Dreyfuzz Apr 16 '13 at 15:01
16

rails 3.2.9 - ruby 1.9.3p125 (2012-02-16 revision 34643) [i686-linux]

Hello everyone, the following has worked for me, it may work for you.


/usr/local/lib/ruby/gems/1.9.1/gems/actionpack-3.2.9/lib/action_dispatch/middleware/session/abstract_store.rb
module Compatibility
          def initialize(app, options = {})
            options[:key]     ||= '_session_id'
            #fixed warning - SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
            options[:secret] ||= Rails.application.config.secret_token
            super
          end
    end
nbit001
  • 224
  • 2
  • 6
  • 2
    This is the answer with the least of the "up votes", but the very only answer that **actually** solves the problem, without downgrading, and having compatibility issues. It just clears the annoying message – Aleks Mar 18 '13 at 23:45
  • 1
    Rather not patching the rails code. I think this better to be resolved in the release. upgrading to 3.2.11 would be better than modifying rails code. – allenhwkim Sep 03 '13 at 19:37
6

Downgrading to rack 1.4.1 should be sufficient to solve this for now. There's an issue open for this and I just submitted a pull request that seems to fix it for me. In any case, watch the issue, and you should be able to upgrade to rack 1.4.2 after this is fixed.

Apparently, there's ongoing discussion about how to fix this on another issue. You'll have to either downgrade to 1.4.1, ignore it, or figure out your own fix until this is dealt with (and backported, if that even happens).

heartpunk
  • 2,235
  • 1
  • 21
  • 26
5

An issue has been opened in Github https://github.com/rails/rails/issues/8789. It appears that a bug involving Rails 3.2.10 with Rack 1.4.2 is causing this. IMO, it can be safely ignored till the issue is resolved.

EDIT: This issue has been resolved in Rails 3.2.11.

Abhra Basak
  • 382
  • 4
  • 13
3

rails update to 3.2.13 ,can solve this question.

leonyuan
  • 31
  • 1