I had moved it into config.session_store[:secret] which was obviously wrong.

Rails is demanding this or won't render meaningful pages.

However the config setting in the session_store initializer used to be Cookie_secret.
I have not found any documentation on cookie_secret. config/initializers/cookie_verfification_secret.rb states we do not want a cookie_verification_secret.

The CHANGELOG for rails 3 states:
Renamed config.cookie_secret to config.secret_token and pass it as env key.

So I assume 'secret_token' is what we want.