我的配置代码
require 'sinatra'
#set :environment, :production
enable :sessions
enable :logging
set run: true
case
when production?
set port: 8081
when development?
require 'sinatra/reloader'
require 'better_errors'
use BetterErrors::Middleware
BetterErrors.application_root = __dir__
end
use Rack::Session::Cookie, key: 'N&wedhSDF',
domain: "localhost",
path: '/',
expire_after: 14400,
secret: '*&(^B234'
get '/' do
erb :hello
end
它仍然显示警告:
SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.
但它在生产环境中没有显示出来
问题是,如果Rack::Session::Cookie已经设置,为什么仍然会显示警告?
session_secret
的作用吗?我一直在寻找答案,但是无论如何都找不到。我最好的猜测是它将其用作哈希的盐,以防止人们伪造cookie。 - Piccolo