Ported the session_store.rb generation task from trunk.

Loosely based on r2493 but adapted for Rails 2.1.2.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.8-stable@3054 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application.rb

@@ -19,11 +19,17 @@ require 'uri'
 require 'cgi'
 
 class ApplicationController < ActionController::Base
+  class MissingSessionSecret < Exception ; end
   layout 'base'
   
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
-  protect_from_forgery :secret => session.first[:secret]
+
+  if session.first[:secret].blank?
+    raise MissingSessionSecret, "Missing session secret. Please run 'rake config/initializers/session_store.rb' to generate one"
+  else
+    protect_from_forgery :secret => session.first[:secret]
+  end
   
   include Redmine::MenuManager::MenuController
   helper Redmine::MenuManager::MenuHelper

doc/INSTALL

@@ -30,7 +30,10 @@ Optional:
    rake db:migrate RAILS_ENV="production"
    It will create tables and an administrator account.
 
-5. Setting up permissions
+5. Generate a session store secret. Run:
+   rake config/initializers/session_store.rb
+
+6. Setting up permissions
    The user who runs Redmine must have write permission on the following
    subdirectories: files, log, tmp (create the last one if not present).
 
@@ -39,13 +42,13 @@ Optional:
      sudo chown -R redmine:redmine files log tmp
      sudo chmod -R 755 files log tmp
 
-6. Test the installation by running WEBrick web server:
+7. Test the installation by running WEBrick web server:
    ruby script/server -e production   
   
    Once WEBrick has started, point your browser to http://localhost:3000/
    You should now see the application welcome page
 
-7. Use default administrator account to log in:
+8. Use default administrator account to log in:
    login: admin
    password: admin
    

lib/tasks/initializers.rake

@@ -0,0 +1,24 @@
+desc 'Generates a configuration file for cookie store sessions.'
+
+file 'config/initializers/session_store.rb' do
+  path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
+  secret = Rails::SecretKeyGenerator.new(self).generate_secret[0,40]
+  File.open(path, 'w') do |f|
+    f.write <<"EOF"
+# This file was generated by 'rake config/initializers/session_store.rb',
+# and should not be made visible to public.
+# If you have a load-balancing Redmine cluster, you will need to use the
+# same version of this file on each machine. And be sure to restart your
+# server when you modify this file.
+ 
+# Your secret key for verifying cookie session data integrity. If you
+# change this key, all old sessions will become invalid! Make sure the
+# secret is at least 30 characters and all random, no regular words or
+# you'll be exposed to dictionary attacks.
+ActionController::Base.session = {
+  :session_key => '_redmine_session',
+  :secret => '#{secret}'
+}
+EOF
+  end
+end