diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 6d46586367..1537b8b806 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -249,9 +249,8 @@ module ActionController
       end
 
       def secret_token(request)
-        secret = request.env["action_dispatch.secret_token"]
-        raise "You must set config.secret_token in your app's config" if secret.blank?
-        secret
+        key_generator = request.env["action_dispatch.key_generator"]
+        key_generator.generate_key('http authentication')
       end
 
       # Uses an MD5 digest based on time to generate a value to be used only once.
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index b11ad633bd..dd95fad6e1 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -1,4 +1,6 @@
 require 'abstract_unit'
+# FIXME remove DummyKeyGenerator and this require in 4.1
+require 'active_support/key_generator'
 
 class HttpDigestAuthenticationTest < ActionController::TestCase
   class DummyDigestController < ActionController::Base
@@ -41,7 +43,7 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
   setup do
     # Used as secret in generating nonce to prevent tampering of timestamp
     @secret = "session_options_secret"
-    @request.env["action_dispatch.secret_token"] = @secret
+    @request.env["action_dispatch.key_generator"] = ActiveSupport::DummyKeyGenerator.new(@secret)
   end
 
   teardown do
diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index 741b03d80e..f9867721a2 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -120,7 +120,6 @@ module Rails
     # Currently stores:
     #
     #   * "action_dispatch.parameter_filter"         => config.filter_parameters,
-    #   * "action_dispatch.secret_token"             => config.secret_token,
     #   * "action_dispatch.show_exceptions"          => config.action_dispatch.show_exceptions,
     #   * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
     #   * "action_dispatch.logger"                   => Rails.logger,
@@ -135,11 +134,13 @@ module Rails
           ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " +
             "This should be used instead of the old deprecated config.secret_token. " +
             "Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb"
+          if config.secret_token.blank?
+            raise "You must set config.secret_token_key in your app's config"
+          end
         end
 
         super.merge({
           "action_dispatch.parameter_filter" => config.filter_parameters,
-          "action_dispatch.secret_token" => config.secret_token,
           "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
           "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
           "action_dispatch.logger" => Rails.logger,
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index b01b97aa67..0faa62c86c 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -10,12 +10,12 @@ module Rails
                     :cache_classes, :cache_store, :consider_all_requests_local, :console,
                     :eager_load, :exceptions_app, :file_watcher, :filter_parameters,
                     :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags,
-                    :railties_order, :relative_url_root, :secret_token_key,
+                    :railties_order, :relative_url_root, :secret_token, :secret_token_key,
                     :serve_static_assets, :ssl_options, :static_cache_control, :session_options,
                     :time_zone, :reload_classes_only_on_change,
                     :queue, :queue_consumer, :beginning_of_week
 
-      attr_writer :secret_token, :log_level
+      attr_writer :log_level
       attr_reader :encoding
 
       def initialize(*)
@@ -146,10 +146,6 @@ module Rails
       def whiny_nils=(*)
         ActiveSupport::Deprecation.warn "config.whiny_nils option is deprecated and no longer works"
       end
-
-      def secret_token
-        @secret_token_key || @secret_token
-      end
     end
   end
 end
diff --git a/railties/test/abstract_unit.rb b/railties/test/abstract_unit.rb
index dfcf5aa27d..486cc64137 100644
--- a/railties/test/abstract_unit.rb
+++ b/railties/test/abstract_unit.rb
@@ -14,5 +14,6 @@ require 'rails/all'
 module TestApp
   class Application < Rails::Application
     config.root = File.dirname(__FILE__)
+    config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
   end
 end
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index daf9dd3505..5d654e1be6 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -225,23 +225,6 @@ module ApplicationTests
       assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path
     end
 
-    test "config.secret_token_key is sent in env" do
-      make_basic_app do |app|
-        app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
-        app.config.session_store :disabled
-      end
-
-      class ::OmgController < ActionController::Base
-        def index
-          cookies.signed[:some_key] = "some_value"
-          render text: env["action_dispatch.secret_token"]
-        end
-      end
-
-      get "/"
-      assert_equal 'b3c631c314c0bbca50c1b2843150fe33', last_response.body
-    end
-
     test "Use key_generator when secret_token_key is set" do
       make_basic_app do |app|
         app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
@@ -588,7 +571,6 @@ module ApplicationTests
 
       assert_respond_to app, :env_config
       assert_equal      app.env_config['action_dispatch.parameter_filter'],  app.config.filter_parameters
-      assert_equal      app.env_config['action_dispatch.secret_token'],      app.config.secret_token
       assert_equal      app.env_config['action_dispatch.show_exceptions'],   app.config.action_dispatch.show_exceptions
       assert_equal      app.env_config['action_dispatch.logger'],            Rails.logger
       assert_equal      app.env_config['action_dispatch.backtrace_cleaner'], Rails.backtrace_cleaner
diff --git a/railties/test/application/middleware/remote_ip_test.rb b/railties/test/application/middleware/remote_ip_test.rb
index 9d97bae9ae..fde13eeb94 100644
--- a/railties/test/application/middleware/remote_ip_test.rb
+++ b/railties/test/application/middleware/remote_ip_test.rb
@@ -1,4 +1,6 @@
 require 'isolation/abstract_unit'
+# FIXME remove DummyKeyGenerator and this require in 4.1
+require 'active_support/key_generator'
 
 module ApplicationTests
   class RemoteIpTest < ActiveSupport::TestCase
@@ -8,7 +10,7 @@ module ApplicationTests
       remote_ip = nil
       env = Rack::MockRequest.env_for("/").merge(env).merge!(
         'action_dispatch.show_exceptions' => false,
-        'action_dispatch.secret_token' => 'b3c631c314c0bbca50c1b2843150fe33'
+        'action_dispatch.key_generator'   => ActiveSupport::DummyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
       )
 
       endpoint = Proc.new do |e|