Incorrect security warning?

[mperham]

% bundle exec rackup simple.ru
        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
        This poses a security threat. It is strongly recommended that you
        provide a secret to prevent exploits that may be possible from crafted
        cookies. This will not be supported in future versions of Rack, and
        future versions will even invalidate your existing user cookies.

secret_key = SecureRandom.hex(32)
use Rack::Session::Cookie, secret: secret_key, same_site: true, max_age: 86400

I'm clearly passing a :secret and the internal logic of secure? seems to have nothing to do with :secret so I think there's some legacy cruft here.

[jeremyevans]

Not sure what is going wrong here. My guess is that an incorrect version of rack-session is being loaded, because I do not get a warning printed when I run the following from inside a rack-session checkout (with current rack checked out to ../rack):

$ ruby -I lib -I ../rack/lib -r rack/session -rsecurerandom -e "Rack::Session::Cookie.new(nil, secret: SecureRandom.hex(32), same_site: true, max_age: 86400)"

Just in case rackup is involved, I tried the following simple.ru:

secret_key = SecureRandom.hex(32)
use Rack::Session::Cookie, secret: secret_key, same_site: true, max_age: 86400
run{}

and ran it with (with current rackup checked out to ../rackup):

$ ruby -I lib -I ../rack/lib -r securerandom -r rack/session ../rackup/bin/rackup simple.ru
[2022-08-09 08:44:33] INFO  WEBrick 1.7.0
[2022-08-09 08:44:33] INFO  ruby 3.1.2 (2022-04-12) [x86_64-openbsd]
[2022-08-09 08:44:33] INFO  WEBrick::HTTPServer#start: pid=64323 port=9292

As you can see, no warnings displayed.

Any chance your Gemfile is pulling in something else?

[mperham]

Works with latest.