Keeping Session Secrets Secret

Let’s jump right in. I recently finished development of a simple MVC (Model, View, Controller) application called Collections Keeper that is designed to help museum curators and staff keep track of pieces in their collection and treatments those pieces might need to keep them in good shape. This application uses sessions to allow users to log in and out and keep track of the user as they navigate across different pages. At the beginning of development I set up sessions in my controller like so:

enable :sessions
set :session_secret, ”museum_secret”

These two lines of code enabled sessions and allowed users to log in and out by setting a session[:user_id] attribute equal to the user’s unique user ID:

session[:user_id] = user.id

But there was one major drawback to this set up: the session secret. With this setup the session secret is a simple string which could easily be guessed by a clever hacker and used to hijack another user’s session. Oh no!

In order to ensure hackers did’t try to bum a ride on another user’s session as it were and use that to access content only available when signed in, I needed to ensure my sessions were secure. This was something new to me so, it required a bit of experimentation and a steep learning curve to get it all working right. Here’s what I ended up doing:

The first thing was to add a gem to my gemfile that would allow me to create a random encoded string in this case the gem sysrandom:

In gemfile:
gem ‘sysrandom’

Then with a bit of help I reset my session secret to the following code to take advantage to the new gem’s capabilities to generate a random encrypted string:

Set :session_secret,  “Sysrandom.hex(32)”

But something was still not working quite right. I tested logging in and was unable to complete the action. To fix this I decided with some help to create a .env file to store the sysrandom information which would then be called in the secret. In order to do this I added another gem to my gemfile called dotenv. Then I created a file in the main directory of my application called .env. Inside that file I added the following line of code:

SESSION_SECRET = Sysrandom.hex(32)

Then changed my sessions secret to the following:

enable :sessions
set :session_secret, ENV[‘SESSION_SECRET’]

This let me call the information from the .env file instead of dropping the command in directly. Bam! Everything worked.

But the secret still wasn’t completely secure because it could be accessed on github with the rest if my application code. Uh-oh. In order to keep people from simply viewing the session secret on github I needed to somehow block this specific information from uploading when I pushed the rest of my app. To do this I created a gitignore file in my main directory simply called .gitignore and put the following code inside

.env

This would tell github to ignore or not upload the contents of the .env file which contained the session secret when uploading. Great! Now I had secure session secrets to keep my users safe and code I could re-use for future projects to ensure those users would be protected too!