Major revamp of security. Passwords are first SHA1 hashed and then

that hash is bcrypted.  Bcrypted hashes are stored in a new column on
users.  This separate column is only to allow for rollbacks,
eventually the old SHA1 hash column will be removed.  Sensitive cookie
details are now encrypted to prevent user tampering and more stringent
checks on secret_token and session_secret_key are enforced.

config/application.rb

@@ -1,5 +1,4 @@
 require File.expand_path('../boot', __FILE__)
-
 require 'rails/all'
 
 if defined?(Bundler)
@@ -11,6 +10,7 @@ end
 
 module Danbooru
   class Application < Rails::Application
+    
     config.active_record.schema_format = :sql
     config.encoding = "utf-8"
     config.filter_parameters += [:password]
@@ -25,4 +25,3 @@ module Danbooru
     config.log_tags = [lambda {|req| "PID:#{Process.pid}"}]
   end
 end
-

config/danbooru_default_config.rb

@@ -112,11 +112,6 @@ module Danbooru
       !user.is_privileged?
     end
     
-    # This is required for Rails 2.0.
-    def session_secret_key
-      "This should be at least 30 characters long"
-    end
-    
     # Users cannot search for more than X regular tags at a time.
     def base_tag_query_limit
       6

config/initializers/secret_token.rb

@@ -1,13 +1,9 @@
-# Be sure to restart your server when you modify this file.
+require File.expand_path('../../state_checker', __FILE__)
 
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-
-if File.exists?(File.expand_path("~/.danbooru/secret_token"))
-  Danbooru::Application.config.secret_token = File.read(File.expand_path("~/.danbooru/secret_token"))
-else
-  Danbooru::Application.config.secret_token = SecureRandom.hex(64)
-end
+StateChecker.new.check!
 
+Danbooru::Application.config.action_dispatch.session = {
+  :key    => '_danbooru2_session',
+  :secret => File.read(File.expand_path("~/.danbooru/session_secret_key"))
+}
+Danbooru::Application.config.secret_token = File.read(File.expand_path("~/.danbooru/secret_token"))

config/state_checker.rb

@@ -0,0 +1,36 @@
+class StateChecker
+  def check!
+    check_secret_token
+    check_session_secret_key
+  end
+
+private
+  
+  def secret_token_path
+    File.expand_path("~/.danbooru/secret_token")
+  end
+  
+  def check_secret_token
+    unless File.exists?(secret_token_path)
+      raise "You must create a file in #{secret_token_path} containing a secret key. It should be a string of at least 32 random characters."
+    end
+
+    if File.stat(secret_token_path).world_readable? || File.stat(secret_token_path).world_writable?
+      raise "#{secret_token_path} must not be world readable or writable"
+    end
+  end
+
+  def session_secret_key_path
+    File.expand_path("~/.danbooru/session_secret_key")
+  end
+  
+  def check_session_secret_key
+    unless File.exists?(session_secret_key_path)
+      raise "You must create a file in #{session_secret_key_path} containing a secret key. It should be a string of at least 32 random characters."
+    end
+
+    if File.stat(session_secret_key_path).world_readable? || File.stat(session_secret_key_path).world_writable?
+      raise "#{session_secret_key_path} must not be world readable or writable"
+    end
+  end
+end