Reminder: secret_token.rb is named so for a reason.

May 30, 2012

Earlier today I realised that our secret_token.rb of openSNP is publicly available on GitHub - which is a bad thing, because our server signs all cookies with that thing!

Any old attacker can take the secret token and re-generate valid cookies for your applications. The user-id is digested with the secret token and then stored in the cookie, and because the user doesn’t know the secret token, he/she cannot change his/her user-id. If the attacker knows the secret token, it’s relatively easy to regenerate a valid cookie to log in as the admin (or check out what other users have inside their account…)

It seems this is not public knowledge - if you google for “secret_token.rb” you can find quite a few projects on GitHub and elsewhere which store their secret key in the open, I just hope that’s not the actual secret on the server.

How to fix it: Create a new token using “rake secret” (I had to install the vegas-gem for that - alternatively you can make up your own long random string), put it in it’s own file, have that file in the .gitignore and link to it inside your secret_token.rb: like this for example, then restart your server (this will invalidate your old sessions, users will have to log in again). I don’t think this works when you deploy to Heroku, here’s a solution for that.

Takes 5 minutes and makes your application much more secure!

3:39pm | URL: https://tmblr.co/ZfqvFxMPTnHj
(View comments)

(Notes: 28)