The secret_token.rb
file is initially missing. When installing, you should generate it using:
rake generate_secret_token
It should be possible to create it by hand too, but I do not know the format (see update below). This command will create the file in the right format with a random token, so it is preferable.
Once created, remember that config/initializers/secret_token.rb
must be kept confidential - since anyone who has access to your content could for example forge session data. If it is in a * NIX environment, put the permissions 600
(read and written by the owner, nothing by the others). And obviously, this file should not go into version control - every different installation should have yours.
Update : According to the redmine source code , the secret_token.rb
file that is generated by this command has the following format:
# This file was generated by 'rake generate_secret_token', and should
# not be made visible to public.
# If you have a load-balancing Redmine cluster, you will need to use the
# same version of this file on each machine. And be sure to restart your
# server when you modify this file.
#
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
RedmineApp::Application.config.secret_token = '#{secret}'
Where secret
is defined this way:
secret = SecureRandom.hex(40)
So if you have trouble running generate_secret_token
you can create this file by hand, replacing '#{secret}'
with a long, random string.