Sharing a few thoughts:<p>- having a per-machine key auto-generated will not work properly with PaaS (such as Heroku, DotCloud etc), especially if you have N machines behind a load-balancer. In that case they need to share the key, so using a Heroku production variable or similar will have to be used instead.<p>- I believe we (Rails users) should at least move away from having a hard-coded key in the source by default, and instead generate and deploy it by other ways (such as symlinking like database.yml or PaaS variables), since having it in the source put an onus on people having access to the source code (such as freelancers/contractors, or other team members without deploy access etc). This should be treated sensitively!<p>- in today's practice of having the key in the source code, some staging environments would currently also have the same key by default, and sometimes these are less secure or up-to-date compared to production environment, providing another attack vector maybe.
I like the solution I stole from rstat.us: you have an off-repository location for the token If there's none:<p>* on production you crash,<p>* on dev, you autogenerate one and save it to a config file that's possibly dev-only,<p>* during automated tests you just autogenerate something and live with it.<p>Here's the nice replacement for secret_token.rb: <a href="https://github.com/hotsh/rstat.us/blob/master/config/initializers/secret_token.rb" rel="nofollow">https://github.com/hotsh/rstat.us/blob/master/config/initial...</a>
We use Heroku and PaaS environment variables, with a default value if you're running in development/test mode, e.g.<p>if Rails.env.production? && ENV['SECRET_TOKEN'].blank?
raise 'SECRET_TOKEN environment variable must be set!'
end<p>secret_token = ENV['SECRET_TOKEN'] || 'safdasfjlkj...'
"Users would still be logged out on every deploy, but I believe this is a minor problem for most people."<p>Would be an absolute pain for users of things such as Github who deploy several times a day.
I store the secret inside of my paste config file ... which is picked up by uwsgi and passed to my Pyramid app.<p>You are required to configure my app anyway, and I can store it inside of a config file that doesn't need to be made public or stored in version control.