Reputation: 20591
Rails secret token
I'm quite confused what is secret_token used for in Rails. Can anyone explain what it is used for? Is it OK to put this token in a public source repository and use it in production, or I should change it before deploying my app to prevent some kinds of attacks?
Upvotes: 23
Views: 6103
Answers (1)
Reputation: 20591
Answering my own question - secret_token is used to prevent cookie tampering in Rails. Every cookie has a checksum saved with it, so users won't modify cookie contents (and change saved user id to steal someone's account, for example). The checksum is based on cookie contents and secret_token, so if you are using cookie based sessions you should always make sure your secret_token is really secret, otherwise you can't trust that anything you put into session came back unchanged.
Upvotes: 33
Related Questions
- JWT token security Check with Ruby
- How to authenticate an access token in rails?
- Generate Secure Token - Ruby on Rails
- Rails 4 Authenticity Token
- Using secret passwords in Rails App
- Rails: token authentication from scratch
- What is the Rails secret token and how do I set it?
- What is the use of secret_token in rails?
- Rails - Work Around Authenticity Token
- restrict_access using tokens in Rails