An impending doom? Possibly. There was a thread on the Rails Core list not too long ago, titled “Cookie session security and open-source“, and they covered what seems to be an obvious security flaw. I distinctly remember following the events as it happened and thought to myself it makes a lot of sense, and yet I fell victim to the same thing.
PowerDNS on Rails uses the cookie store, and until b2ff9410de[...] had both the session key and session secret hard coded in the environment.rb file.
It came down on my like a ton of bricks when I was moderating a comment by JGeiger on my previous post (Using hoptoad in open source project deployments). I quickly jumped to fix the code using a solution put out by Trevor Turk which requires users to set both the session key and session secret in their database.yml files.
I know this is not an optimal solution, but works until the Core team (and us) have found a reasonable solution to the problem.
As part of stating the obvious (you gotta love hindsight), I recommend anyone who is running PowerDNS on Rails in a production environment to run it over SSL. Apart from session hijacking woes, having your zone data readable as plain text is just as bad as allowing zone transfers to any DNS client…
I’m not that happy with the database.yml solution either. I’m of the opinion that the session key should be automatically generated and stored in the database for you.
I’ve cobbled together a really ugly (but functional) illustration of this using the Configurator plugin. You can check it out here:
http://github.com/trevorturk/el-dorado/tree/config/config/environment.rb
Any improvements to this would be most welcome. I’ve thought about creating a plugin to handle this automatically, but I’d really like to see a consensus emerge about the appropriate place to store installation-specific config stuff like this.