Emphasize the importance of a dictionary attack-proof secret for the cookie store

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8181 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2026-02-01 01:34:57 -05:00 · 2007-11-21 15:47:50 +00:00
parent 9b83e33961
commit 8a086c590f
1 changed files with 4 additions and 1 deletions
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -22,7 +22,10 @@ require 'openssl'       # to generate the HMAC message digest
 # Session options:
 #   :secret   An application-wide key string or block returning a string
 #             called per generated digest. The block is called with the
-#             CGI::Session instance as an argument.
+#             CGI::Session instance as an argument. It's important that the
+#             secret is not vulnerable to a dictionary attack. Therefore,
+#             you should choose a secret consisting of random numbers and
+#             letters and preferably more than 30 characters.
 #
 #             Example:  :secret => '449fe2e7daee471bffae2fd8dc02313d'
 #                       :secret => Proc.new { User.current_user.secret_key }