The secret_token.rbfile's content includes a long randomized string which is used to verify the integrity of signed cookies(such as user sessions when people are signed into your web app).

该secret_token.rb文件的内容包括一个长随机字符串，用于验证签名 cookie 的完整性（例如，当人们登录到您的 Web 应用程序时的用户会话）。

Documentationsays:

文档说：

Use your existing secret_key_base from the secret_token.rbinitializer to set the SECRET_KEY_BASE environment variable for whichever users run the Rails app in production mode. Alternately, you can simply copy the existing secret_key_base from the secret_token.rbinitializer to secrets.yml under the production section, replacing <%= ENV["SECRET_KEY_BASE"] %>.

使用secret_token.rb初始化程序中现有的 secret_key_base为在生产模式下运行 Rails 应用程序的任何用户设置 SECRET_KEY_BASE 环境变量。或者，您可以简单地将现有的 secret_key_base 从secret_token.rb初始值设定项复制到生产部分下的secrets.yml ，替换<%= ENV["SECRET_KEY_BASE"] %>.

Since it is important file, and you can't put it to .gitignore, it is treated to be a good practice to use env variable to store secret_key_basevalue:

由于它是重要文件，并且您不能将其放入 .gitignore，因此使用 env 变量来存储secret_key_base值被视为一个好习惯：

create .envor .powenvfile and store it as:

创建.env或.powenv文件并将其存储为：

export SECRET_TOKEN="9489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4laalal19cb"

And then in config/initializers/secret_token.rb

然后在 config/initializers/secret_token.rb

YourAppName::Application.config.secret_key_base = if Rails.env.development? or Rails.env.test? # generate simple key for test and development environments
  ('a' * 30) # should be at least 30 chars long
else
  ENV['SECRET_TOKEN']
end

This articleis (a bit old and) long but really full of useful info on the topic.

这篇文章（有点旧而且）很长，但确实充满了有关该主题的有用信息。

UPDATE 04.05.15

更新 04.05.15

Starting from Rails 4.2 there is no longer secret_token.rbfile. By new convention there is a config/secrets.ymlfile aimed to store application's secrets.

从 Rails 4.2 开始，不再有secret_token.rb文件。按照新的约定，有一个config/secrets.yml文件旨在存储应用程序的机密。

Have a readon how to upgrade an existing app to 4.2.x according to innovations.

阅读有关如何根据创新将现有应用升级到 4.2.x 的信息。

Technically the purpose of secrect_key_baseis to be the secret input for the application's key_generatormethod (check Rails.application.key_generator).

从技术上讲，目的secrect_key_base是成为应用程序key_generator方法（检查Rails.application.key_generator）的秘密输入。

The application's key_generator, and thus secret_key_base, are used by three core features within the Rails framework:

应用程序的key_generator，因此secret_key_base，被 Rails 框架内的三个核心功能使用：

• Deriving keys for encrypted cookies which are accessible via cookies.encrypted.
• Deriving the key for HMAC signed cookies which are accessible via cookies.signed.
• Deriving keys for all of the application's named message_verifierinstances.

• 派生可通过 访问的加密 cookie 的密钥 cookies.encrypted。
• 派生 HMAC 签名 cookie 的密钥，可通过cookies.signed.
• 为应用程序的所有命名message_verifier实例派生密钥。

Check out more on each of the three in the article by @michaeljcoyne.

在@michaeljcoyne的文章中查看更多关于这三者的信息。

secret_key_base is used to encrypt and sign session

secret_key_base 用于对会话进行加密和签名

in order to safely send session back and forth in cookies

为了安全地在 cookie 中来回发送会话

In Rails 4,

在Rails 4 中，

1. if your app is called Hello, and
2. you set session['a'] = 'b',

1. 如果您的应用程序被调用Hello，并且
2. 你设置session['a'] = 'b'，

your cookie will look something like this:

您的 cookie 将如下所示：

_Hello_session=BAh7B0kiD3%3D%3D--dc40a55cd52fe32bb3b84ae0608956dfb5824689

which translates into:

翻译成：

_Hello_session=<encrypted a=b>--<digital signature>

Cookies are set by server and kept client side, with browser resending set cookies to the server every time we request a page.

Cookie 由服务器设置并保存在客户端，每次我们请求页面时，浏览器都会向服务器重新发送设置的 Cookie。

To prevent evil people from understanding a=bstring, it's encrypted.
To prevent evil people from tampering cookies, digital signatureis used.

为了防止邪恶的人理解a=b字符串，它被加密了。
为了防止邪恶的人篡改cookie，使用了数字签名。

In both cases secret_key_basevalue is used (to encrypt/decrypt a=b and to validate digital signature).

在这两种情况下，都使用了secret_key_base值（加密/解密 a=b 并验证数字签名）。