diff --git a/app/controllers/application.rb b/app/controllers/application.rb
index dfe7a29..f1378c5 100644
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -19,11 +19,17 @@ require 'uri'
 require 'cgi'
 
 class ApplicationController < ActionController::Base
+  class MissingSessionSecret < Exception ; end
   layout 'base'
   
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
-  protect_from_forgery :secret => session.first[:secret]
+
+  if session.first[:secret].blank?
+    raise MissingSessionSecret, "Missing session secret. Please run 'rake config/initializers/session_store.rb' to generate one"
+  else
+    protect_from_forgery :secret => session.first[:secret]
+  end
   
   include Redmine::MenuManager::MenuController
   helper Redmine::MenuManager::MenuHelper
diff --git a/doc/INSTALL b/doc/INSTALL
index 72cb508..f5e5018 100644
--- a/doc/INSTALL
+++ b/doc/INSTALL
@@ -30,7 +30,10 @@ Optional:
    rake db:migrate RAILS_ENV="production"
    It will create tables and an administrator account.
 
-5. Setting up permissions
+5. Generate a session store secret. Run:
+   rake config/initializers/session_store.rb
+
+6. Setting up permissions
    The user who runs Redmine must have write permission on the following
    subdirectories: files, log, tmp (create the last one if not present).
 
@@ -39,13 +42,13 @@ Optional:
      sudo chown -R redmine:redmine files log tmp
      sudo chmod -R 755 files log tmp
 
-6. Test the installation by running WEBrick web server:
+7. Test the installation by running WEBrick web server:
    ruby script/server -e production   
   
    Once WEBrick has started, point your browser to http://localhost:3000/
    You should now see the application welcome page
 
-7. Use default administrator account to log in:
+8. Use default administrator account to log in:
    login: admin
    password: admin
    
diff --git a/lib/tasks/initializers.rake b/lib/tasks/initializers.rake
new file mode 100644
index 0000000..54b5d11
--- /dev/null
+++ b/lib/tasks/initializers.rake
@@ -0,0 +1,24 @@
+desc 'Generates a configuration file for cookie store sessions.'
+
+file 'config/initializers/session_store.rb' do
+  path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb')
+  secret = Rails::SecretKeyGenerator.new(self).generate_secret[0,40]
+  File.open(path, 'w') do |f|
+    f.write <<"EOF"
+# This file was generated by 'rake config/initializers/session_store.rb',
+# and should not be made visible to public.
+# If you have a load-balancing Redmine cluster, you will need to use the
+# same version of this file on each machine. And be sure to restart your
+# server when you modify this file.
+ 
+# Your secret key for verifying cookie session data integrity. If you
+# change this key, all old sessions will become invalid! Make sure the
+# secret is at least 30 characters and all random, no regular words or
+# you'll be exposed to dictionary attacks.
+ActionController::Base.session = {
+  :session_key => '_redmine_session',
+  :secret => '#{secret}'
+}
+EOF
+  end
+end