Spree Commerce

Try It Now

"Security Vulernability: Session Cookie Store"

Posted on August 12, 2008 by Sean Schofield

There’s been a minor security fix checked into the git repository this morning. The problem relates to users who used the spree gem to create a new spree application but did not change the value of the secret key in config/environment.rb in the newly created app.

Your application is vulnerable if you have the following hash value for config.action_controller_session in your app’s config/environment.rb:

<p>:secret =&gt; &#8217;2271bed096798b2c9e7b7ec14263e669944808bb94cb56d4befa5757cbb931095a3644c785</p>

To fix it, simply change the value of the hash to some other random hash value with at least 30 characters. This has been fixed in the source and in the upcoming 0.3.0 release so newly generated applications will not have this problem.

For more details please see the related issue report.