Hacker News new | ask | show | jobs
by MattRogish 4911 days ago
We use Heroku and PaaS environment variables, with a default value if you're running in development/test mode, e.g.

if Rails.env.production? && ENV['SECRET_TOKEN'].blank? raise 'SECRET_TOKEN environment variable must be set!' end

secret_token = ENV['SECRET_TOKEN'] || 'safdasfjlkj...'
1 comments
tptacek 4911 days ago
Make sure your session secret is a long random string (it might be tempting, if you're passing it in through the environment, to make it shorter or readable). It's an HMAC key that anyone who can get a session from your application can dictionary.
link
MattRogish 4911 days ago
Oh yes. It's probably ridiculously long (I think 256 chars, letters numbers special etc) :)
link