changed Mojolicious default secret to the application moniker to make…

… it slightly more secure
mojolicious · May 9, 2013 · fa39fde · fa39fde
1 parent 440634d
commit fa39fde
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/Changes b/Changes
@@ -5,6 +5,8 @@
   - Added json event to Mojo::Transaction::WebSocket.
   - Added is_empty method to Mojo::Transaction::HTTP.
   - Added close_gracefully method to Mojo::IOLoop::Stream.
+  - Changed Mojolicious default secret to the application moniker to make it
+    slightly more secure.
   - Removed Mojolicious::Plugin::PoweredBy and
     Mojolicious::Plugin::RequestTimer.
   - Removed data attribute from Mojo::URL.

diff --git a/lib/Mojolicious.pm b/lib/Mojolicious.pm
@@ -33,8 +33,8 @@ has secret   => sub {
   # Warn developers about insecure default
   $self->log->debug('Your secret passphrase needs to be changed!!!');
 
-  # Default to application name
-  return ref $self;
+  # Default to moniker
+  return $self->moniker;
 };
 has sessions => sub { Mojolicious::Sessions->new };
 has static   => sub { Mojolicious::Static->new };
@@ -335,9 +335,9 @@ startup method to define the url endpoints for your application.
   $app       = $app->secret('passw0rd');
 
 A secret passphrase used for signed cookies and the like, defaults to the
-application name which is not very secure, so you should change it!!! As long
-as you are using the insecure default there will be debug messages in the log
-file reminding you to change your passphrase.
+C<moniker> of this application, which is not very secure, so you should change
+it!!! As long as you are using the insecure default there will be debug
+messages in the log file reminding you to change your passphrase.
 
 =head2 sessions
 

diff --git a/lib/Mojolicious/Guides/Cookbook.pod b/lib/Mojolicious/Guides/Cookbook.pod
@@ -1100,7 +1100,7 @@ There are many more useful methods and attributes in L<Mojolicious::Command>
 that you can use or overload.
 
   $ mojo spy secret
-  The secret of this application is "Mojolicious::Lite".
+  The secret of this application is "HelloWorld".
 
   $ ./myapp.pl spy secret
   The secret of this application is "secr3t".

diff --git a/lib/Mojolicious/Guides/FAQ.pod b/lib/Mojolicious/Guides/FAQ.pod
@@ -94,7 +94,7 @@ to use the MOJO_REACTOR environment variable to enforce a more portable one.
 =head2 What does "Your secret passphrase needs to be changed" mean?
 
 L<Mojolicious> uses a secret passphrase for security features such as signed
-cookies. It defaults to the name of your application, which is not very
+cookies. It defaults to the moniker of your application, which is not very
 secure, so we added this log message as a reminder. You can change the
 passphrase with the attribute L<Mojolicious/"secret">.
 

diff --git a/t/mojolicious/app.t b/t/mojolicious/app.t
@@ -59,6 +59,7 @@ is $t->app, $t->app->commands->app, 'applications are equal';
 is $t->app->static->file('hello.txt')->slurp,
   "Hello Mojo from a development static file!\n", 'right content';
 is $t->app->moniker, 'mojolicious_test', 'right moniker';
+is $t->app->secret, $t->app->moniker, 'secret defaults to moniker';
 
 # Hidden controller methods and attributes
 $t->app->routes->hide('bar');