Initializing the Redmine

Generate a hash for the secret token using rake:

rake secret

The archive secret_token.rb is initially absent. While installing, you should generate it using:

rake generate_secret_token

It should be possible to create it by hand as well, but I don’t know the format (see update below). This command will create the file in the right format, with a random token, so that it is preferable.

After created, remember that the config/initializers/secret_token.rb should be kept confidential - as anyone who has access to its content could for example forge session data. If you are in a *NIX environment, set permissions 600 (reading and writing by the owner, nothing by others). And obviously this file should not go to version control - each different installation should have its own.

Updating: as per the source code of Dmin, the file secret_token.rb that is generated by this command has the following format:

# This file was generated by 'rake generate_secret_token', and should
# not be made visible to public.
# If you have a load-balancing Redmine cluster, you will need to use the
# same version of this file on each machine. And be sure to restart your
# server when you modify this file.
#
# Your secret key for verifying cookie session data integrity. If you
# change this key, all old sessions will become invalid! Make sure the
# secret is at least 30 characters and all random, no regular words or
# you'll be exposed to dictionary attacks.
RedmineApp::Application.config.secret_token = '#{secret}'

Where secret is defined in this way:

secret = SecureRandom.hex(40)

So if you have trouble executing the generate_secret_token you can create this file by hand by overwriting '#{secret}' by a long, random string.