Wow. Please, please tell me that these are just hobby projects which have this happening. I can understand a beginner who doesn't understand git ignore doing this, but if there are people building products with this ignorance, that is troubling. I can see why a lot of greybeards hate frameworks, because someone who builds web apps with a much more bare bones framework, (Sinatra, Webapp2, Express, etc) most likely understands the fundamentals of encryption/hashing simply because of the fact that lighter frameworks require understanding the fundamentals in general.<p>This isn't to say that a developer for one of these frameworks couldn't easily overlook adding the files with secret_tokens in them to the .gitignore.
Note that this was published back in May 2012, so it's not entirely recent (which is OK, just thought I would note it). However, this seems to have been public by February 2011 (<a href="http://stackoverflow.com/questions/5132152/when-you-have-secret-key-in-your-project-how-can-pushing-to-github-be-possible" rel="nofollow">http://stackoverflow.com/questions/5132152/when-you-have-sec...</a>). I don't think the issue is entirely widespread, and a different key is likely used for production.
What is the advantage to hashing a user id and storing it in the cookie over simply generating a random session code and storing it in a db table against the user's id and then checking every request? Is the overhead of an extra db read the only reason people don't do this? (Honest question, not trying to be smart)
Why don't more people keep configuration / api keys / etc in the database?<p>1. Your configuration is backed up along with your data.<p>2. You can share configuration with multiple applications easily.<p>3. Use postgresql's LISTEN/NOTIFY to tell your applications about new configuration changes in real-time.<p>4. Your configuration is as secret as your data.
As hgimenez said, the best way is to not store your secrets in your source tree at all (12factor.net style). Keep them in the environment. Here's a great example:<p><a href="https://github.com/democrats/voter-registration/commit/2fa8796658fdbf18490cd2a3d7bf173e53b1cab8" rel="nofollow">https://github.com/democrats/voter-registration/commit/2fa87...</a>
We use the Figaro gem to setup ENV variables per project without messing with your system Path.<p>It also pushes your ENV vars to Heroku with one command. Pretty neat and simple.<p>In case you want to check it out <a href="https://github.com/laserlemon/figaro" rel="nofollow">https://github.com/laserlemon/figaro</a>
Why doesn't rails add this to the .gitignore generated from `rails new myapp`? And maybe include a rake task to generate a new secret token. That's why I've been doing ever since I found out about this.
I would argue this is even worse for Django projects. Django secret keys are in the settings file by default, which definitely needs to be put under revision control.