When open-sourcing a live Rails app, is it dangerous to leave the session key secret in source control?

Question

I've got a Rails app that's been running live for some time, and I'm planning to open source it in the near future. I'm wondering how dangerous it is to leave the session key store secret in source control while the app is live.

If it's dangerous, how do people usually handle this problem? I'd guess that it's easiest to just move the string to a text file that's ignored by the SCM, and read it in later.

Just for clarity, I'm talking about this:

# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random, 
# no regular words or you'll be exposed to dictionary attacks.
ActionController::Base.session = {
  :key         => '_application_session',
  :secret      => '(long, unique string)'
}

And while we're on the subject, is there anything else in a default Rails app that should be protected when open sourcing a live app?

Answer 1

Flip the question around. Would you reuse a secret key from someone else's project that you just downloaded? Probaby not, and other smart users of your code won't either. Malicious users will then have a key to use as an attack in your main site, as well as against any users lazy enough to not change the key.

Other config files you might have which should not be shared include database.yml, s3.yml, amazon_s3.yml, etc. If you wouldn't mail it to a stranger, don't keep it in your scm when you unleash your code to the world.

Answer 2

I'd put this into a config file. You'll probably have the need for some config settings anyway, so why don't you put it there and add a comment that this should be modified when the user installs the software.