Defect #12755

Rack SECURITY WARNING: No secret option provided to Rack::Session::Cookie.

Added by Terence Mill over 1 year ago. Updated over 1 year ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Gems support
Target version:-
Resolution:Wont fix Affected version:2.2.0

Description

/home/user/.rvm/rubies/jruby-1.7.0/bin/jruby --1.9 -e $stdout.sync=true;$stderr.sync=true;load($0=ARGV.shift) /home/user/redmine-2.2/script/rails server -b 172.16.107.48 -p 3000 -e production
=> Booting WEBrick
=> Rails 3.2.10 application starting in production on http://localhost:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
/home/usre/redmine-2.2/lib/redmine.rb:26 warning: already initialized constant FCSV

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.
Called from: /home/user/.rvm/gems/jruby-1.7.0/gems/actionpack-3.2.10/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'.

[2013-01-07 15:12:01] INFO WEBrick 1.3.1
[2013-01-07 15:12:01] INFO ruby 1.9.3 (2012-11-28) [java]
[2013-01-07 15:12:01] INFO WEBrick::HTTPServer#start: pid=17280 port=3000

seel also http://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning

History

#1 Updated by Etienne Massip over 1 year ago

Did you rake generate_secret_token as explained in RedmineInstall?

#2 Updated by Terence Mill over 1 year ago

Yes i did.

#3 Updated by Jack S. over 1 year ago

It's an Rails/Rack Issue: https://github.com/rails/rails/issues/7372 and does not depend on rails secret session token.

#4 Updated by Etienne Massip over 1 year ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

Sorry, missed that. Closed as such.

#5 Updated by Etienne Massip over 1 year ago

  • Category changed from Code cleanup/refactoring to Gems support

#6 Updated by Etienne Massip over 1 year ago

FWIW this warning should be removed with next releases and upgrade to latest Rails version.

Also available in: Atom PDF