Initializing Redmine

The secret_token.rb file is initially missing. When installing, you should generate it using:

rake generate_secret_token

It should be possible to create it by hand too, but I do not know the format (see update below). This command will create the file in the right format with a random token, so it is preferable.

Once created, remember that config/initializers/secret_token.rb must be kept confidential - since anyone who has access to your content could for example forge session data. If it is in a * NIX environment, put the permissions 600 (read and written by the owner, nothing by the others). And obviously, this file should not go into version control - every different installation should have yours.

Update : According to the redmine source code , the secret_token.rb file that is generated by this command has the following format:

# This file was generated by 'rake generate_secret_token', and should
# not be made visible to public.
# If you have a load-balancing Redmine cluster, you will need to use the
# same version of this file on each machine. And be sure to restart your
# server when you modify this file.
#
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
RedmineApp::Application.config.secret_token = '#{secret}'

Where secret is defined this way:

secret = SecureRandom.hex(40)

So if you have trouble running generate_secret_token you can create this file by hand, replacing '#{secret}' with a long, random string.

Generate a hash for the secret token using rake:

rake secret