Rails 4 introduces a new way of signing cookies that differs from the previous method in Rails 3. When you upgrade to Rails 4, you are likely to receive "DEPRECATION WARNING: You didn't set config.secret_key_base". As pointed out in the guide for upgrading rails, you can simply run "rake secret" to generate a new secret, and paste that into config.secret_key_base inconfig/initializers/secret_token.rb. However, do we really want this crucial security key to be hard-coded in our application and pushed to our repository? What if our repository is public?