I am receiving the expcetion CGI::Session::CookieStore::TamperedWithCookie after changing the config.action_controller.session.secret setting on an app (as part of preparation to full deployment.
Am I right in assuming that changing the secret while testers have cookies set is the cause of this, and what other cause could there be (both due to secuirty attacks, and coding issues)
Yes, testers should clear their cookies. Any time the cookie cannot be decrypted with the specified secret you'll get that error.
The cause of your exception is most certainly changing the secret while testers have cookies set. The cookie is cryptographically signed using the secret to protect against users tampering with their cookie. For example, they might try to change their stored user id in order to elevate their privileges.
You could ask the testers to clear their cookies. Or, you could catch the exception and remove the cookie for your application. Some sites prefer to use ActiveRecordSession store for more control over their sessions so they drop all sessions when required but at a cost of performance.
I found a plugin on Github that will trap the error and write it to the log without exposing the error to the user. I was plagued by this problem on a Rails 2.1 instance and it did the trick.