rake secret?

Posted on January 21, 2009 by Ashiq Alibhai

If you’ve tried using Bort, the bootstrapped Rails skeleton application on steroids, you may have noticed one instruction in the readme file that says “Edit the REST_AUTH_SITE_KEY in each of the environment files.”

Huh? REST_AUTH_SITE_KEY? Some googling revealed fairly little information. After some digging, though, the pieces fell into place; so what follows is a (hopefully thorough-enough) explanation.

First of all, to generate a secret key, just use the “secret” rake command:

rake secret

This will generate a sufficiently-long, sufficiently-strong key. And you’re done. Restful Authentication is happy.

Interestingly enough, if you look in config/environment.rb, under config.action_controller.session, there’s something called “secret.” And this is the very thing that spurned the creation of the secret rake task.

So what is this secret? And can you reuse the same secret for your session? (The answer is “probably yes,” but I’m not 100% sure what the implications are–since it’s impossible for end-users to know either or both secret keys.)

Some time ago (in Rails 2.0), they changed the way they handle sessions, so that Rails stores sessions on the client side. Isn’t this a security risk? Yes! So they implemented this secret-key (the one in environment.rb), so that the client-side session is encrypted–using the secret key.

“But wait,” the security experts cry, “can’t you still crack the key by brute-forcing it (by testing every possible combination of characters)? Yes! But given a sufficiently large-enough and convulted enough (i.e. mix of letters and numbers) key, this is computationally infeasible (it’ll take millions of years to try all the combinations).

And that’s what rake secret is for–to generate a strong enough, long enough key, to keep your session state safe.

So, again–Restful Authentication needs a secure key. So generate it with rake secret. It’s strong enough that you don’t need to worry about it being cracked. (It generates a 128-character key, there are 1.61 x 10199 possible combinations–that’s with 199 zeros.)

Resources:

About Ashiq Alibhai

Ashiq Alibhai, PMP, has been a Rails aficionado since 2007, and developed web applications since early 2003, where he learned PHP in one summer. As the driving-force behind RailsRocket and the Launchpad project, he seeks to share the ease of development with Rails far and wide.
This entry was posted in Development and tagged , , , , . Bookmark the permalink.

2 Responses to rake secret?

  1. Bryce says:
    January 21, 2009 at 9:03 pm

    The session isn’t encrypted on the client (pipe it through base64 –decode | hexdump -C). The secret’s merely used to verify that the cookie data was set by the server.

  2. ashes999 says:
    January 22, 2009 at 12:03 pm

    Has this changed since Rails 2.0, or was this always the case? What about the Rails Security blog link I mentioned–are they wrong?