This project is archived and is in readonly mode.

#913 ✓committed
Hongli Lai

Rails::SecretKeyGenerator should be removed in favor of SecureRandom

Reported by Hongli Lai | August 27th, 2008 @ 11:49 AM | in 2.x

Rails::SecretKeyGenerator is used for generating a secret key for the session cookie store. Ruby 1.9's SecureRandom library actually do the same thing, but slightly better. For example, SecureRandom's /dev/urandom implementation checks whether /dev/urandom is a block device and not a symlink, and opens it O_NCTTY so that it doesn't become the process's controlling terminal. Plus, SecureRandom favors OpenSSL, which is much faster than /dev/urandom. SecretKeyGenerator favors /dev/urandom.

The attached patch removes Rails::SecretKeyGenerator and replaces it with ActiveSupport::SecureRandom.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket

Referenced by