Active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview

riles01 · October 4, 2007, 12:07am

After switching to active_record_store to host sessions, I now get the
following errors:

ActionController::InvalidAuthenticityToken in Pages#edit
Showing app/views/pages/edit.html.erb where line #5 raised:

No :secret given to the #protect_from_forgery call. Set that or use a
session store capable of generating its own keys (Cookie Session
Store).

Extracted source (around line #5):

2:
3: <%= error_messages_for :page %>
4:
5: <% form_for(@page) do |f| %>
6:

7: Name

8: <%= f.text_field :name %>

RAILS_ROOT: C:/www/rails_apps/myapp

Application Trace | Framework Trace | Full Trace
c:/www/ruby/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/
action_controller/request_forgery_protection.rb:101:in
form_authenticity_token' (eval):2:insend’
(eval):2:in form_authenticity_token' app/views/pages/edit.html.erb:5:in_run_erb_47app47views47pages47edit46html46erb’

Do I need to do something else besides create the database table and
uncomment the line in config/environment.rb?

riles01 · November 9, 2007, 5:28pm

Hello riles01, you have run your application with cookies
authentication mode and, thus, will remain sessions in your cookies.
Delete your cookies and it will work.

riles01 · November 12, 2007, 1:25pm

sorry, it seem work well, but no. in your environement.rb you have :

config.action_controller.session = {
:session_key => ‘_myapp_session’,
:secret => ‘secretpass’
}

uncomment
config.action_controller.session_store = :active_record_store

and add in your app/controller/application.rb
protect_from_forgery :secret => ‘secretpass’

and all work well.