SECURITY WARNING: No secret option provided to Rack::Session::Cookie.

Posted on: Saturday, Mar 22, 2014

I’m working on the web version of the Blackjack game. This is done using the Sinatra framework for Ruby.

While running the development web server (Shotgun/Thin) and using sessions, you may get the following warning in the console:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.

After some googling, I found the cause of this warning. The warning is being generated by the session middleware included by Sinatra.

To fix this, you just have to set a session_secret  for Sinatra:

enable :sessions
set :session_secret, 'This is a secret key'